SlideShare una empresa de Scribd logo

Achieving Pci Compliace

Denish Patel
Denish Patel

Achieving PCI compliance with PostgreSQL

TecnologíaEmpresariales
1 de 32
Descargar para leer sin conexión
/ Achieving PCI Compliance with PostgreSQL Denish Patel Database Architect
Who am I ? •  Denish Patel •  Database Architect •  Expertise in Oracle, PostgreSQL , MySQL •  Contact : denish@omniti.com •  Working with OmniTi for last 4 years •  Providing Solutions for business problems to deliver •  Scalability •  Reliability •  High Availability •  Consistency •  Security We are hiring!! Apply @ l42.org/lg 1
Agendum •  PCI Introduction & requirements •  Identify requirements that apply to databases •  How to fulfill these requirements •  Common Myths •  How OmniTi PayPI solution can help you •  Knowledge sharing 2
Introduction & History •  In an attempt to protect its cardholders from identity theft VISA introduced its Cardholder Information Security Program (CISP) in June 2001. •  PCI DSS is a result of the collaboration between all major credit card companies (including Visa, MasterCard, JCB, American Express, and Discover) that designed the PCI DSS to establish industry-wide security requirements. •  The Payment Card Industry (PCI) Data Security Standard (DSS) is a set of specific credit card holder protection regulations and guidance to combat identity theft. •  PCI DSS v1.1 introduced in Sept 2006. PCI DSS v1.2 effective after Dec 31st 2008 till Jan 10, 2011 •  PCI DSS Version 2 published on 28th Oct 2010 & effective after Jan 11, 2011 3
PCI DSS Applicability •  If a Primary Account Number (PAN) is stored, processed, or transmitted. Data Element Storage Permitted Render data unreadable Card holder data Primary Account Number (PAN) Yes Yes (1) Cardholder Name Yes No Service Code Yes No Expiration Date Yes No Sensitive authentication data (2) Full Magnetic Stripe Data No N/A CAV2/CVC2/CVV2/CID No N/A PIN/PIN Block No N/A (1) PCI DSS requirements 3.3 and 3.4 apply only to PAN. (2) Sensitive authentication data must not be stored after authorization (even if encrypted). 4
Why PostgreSQL? “By default PostgreSQL is probably the most security-aware database available” – David Litchfield (The Database Hackers Handbook) PostgreSQL offers encryption at several levels, and provides flexibility in protecting data from disclosure due to database server theft, unscrupulous administrators, and insecure networks. SE-PostgreSQL project SE-Linux will provide row level security features on the par with Oracle – Oracle Label Security and Virtual Private Database 5
PCI DSS v2 : Objectives Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data Requirement 3: Protect stored cardholder data. Requirement 4: Encrypt transmission of cardholder data across open, public networks. Maintain Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software. Requirement 6: Develop and maintain secure systems and applications. Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know. Requirement 8: Assign a unique ID to each person with computer access. Requirement 9: Restrict physical access to cardholder data. 6
PCI DSS v2 : Objectives Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data. Requirement 11: Regularly test security systems and processes. Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security. 7
Requirement # 1 Install and maintain a firewall configuration to protect cardholder data. 8
Requirement # 1 1.2 “Build a firewall configuration that denies all traffic from “untrusted” networks and hosts, except for protocols necessary for the cardholder data environment.” PostgreSQL helps to achieve this requirement: •  pg_hba.conf built-in security feature helps to deny or limit database access from IP address ranges that are deemed “untrusted.” •  log_connections settings helps to centralize database connection logs to be kept at centralized place 9
Requirement # 2 Do not use vendor-supplied defaults for system passwords and other security parameters. •  Use a password for default “postgres” user •  Don’t allow trust authentication from any host/user/database in pg_hba.conf file. Not even from localhost and postgres user. •  Revoke remote login access on template1 and postgres default databases •  Grant limited permissions to monitoring user. •  Revoke objects privileges from PUBLIC •  Be careful about GRANTS •  Security Definer functions and Views are your friends 10
Example: Monitoring User CREATE ROLE nagios WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN PASSWORD 'XXX’; ALTER ROLE nagios SET search_path TO check_postgres, pg_catalog; SET search_path to check_postgres; CREATE FUNCTION pg_ls_dir(text) RETURNS SETOF text AS $$begin return query(select pg_catalog.pg_ls_dir('pg_xlog')); end$$ LANGUAGE plpgsql SECURITY DEFINER; CREATE VIEW pg_stat_activity AS SELECT pg_stat_activity.datid, pg_stat_activity.datname,pg_stat_activity.procpid, pg_stat_activity.usesysid, pg_stat_activity.usename, pg_stat_activity.current_query, pg_stat_activity.waiting, pg_stat_activity.xact_start, pg_stat_activity.query_start, pg_stat_activity.backend_start, pg_stat_activity.client_addr, pg_stat_activity.client_port FROM pg_stat_activity() pg_stat_activity(datid, datname, procpid, usesysid, usename, current_query, waiting, xact_start, query_start, backend_start, client_addr, client_port); 11
Requirement # 3 Protect stored cardholder data. “Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person…..” 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). 3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography (hash must be of the entire PAN) , Truncation (hashing cannot be used to replace the truncated segment of PAN) , Index tokens and pads (pads must be securely stored) Strong cryptography with associated key- management processes and procedures 12
Requirement # 3 •  Use PostgreSQL pgcrypto Encryption for Card Data •  Never hash a card without a salt, and preferably use variable salts •  Don't use md5, use something better like AES or SHA-256 •  Column level Encryption using pgcrypto 13
Example- Encrypt Card Holder Data CREATE ROLE ccuser WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN PASSWORD 'XX'; CREATE SCHEMA ccinfo; ALTER SCHEMA ccinfo OWNER TO ccuser; CREATE SEQUENCE cc_cc_id_seq INCREMENT BY 1 NO MAXVALUE NO MINVALUE CACHE 1; CREATE TABLE cc ( cc_id bigint DEFAULT nextval('cc_cc_id_seq'::regclass) NOT NULL, cc_number_first6 character(6) NOT NULL, cc_number text NOT NULL); CREATE TABLE ccsource ( source text NOT NULL); 14
Example- Encrypt Card Holder Data SET search_path to ccinfo; CREATE FUNCTION ccencrypt(text) RETURNS text AS $_$ select encode(pgcrypto.encrypt(decode($1,'escape'), (select decode(source,'escape') from ccinfo.ccsource),'aes'),'escape');$_$ LANGUAGE sql IMMUTABLE STRICT; CREATE FUNCTION ccdecrypt(text) RETURNS text AS $_$ select encode(pgcrypto.decrypt(decode($1,'escape’), (select decode(source,'escape') from ccinfo.ccsource),'aes'),'escape');$_$ LANGUAGE sql IMMUTABLE STRICT; REVOKE ALL ON FUNCTION ccdecrypt(text) FROM PUBLIC; CREATE TABLE users ( user_id bigint, user_name text, cc_number text, CONSTRAINT users_cc_number_check CHECK ((cc_number IS NULL)),); 15
Example- Encrypt Card Holder Data CREATE FUNCTION scrub_cc_info() RETURNS trigger AS $$DECLARE v_cc_id integer; BEGIN IF NEW.cc_number IS NULL THEN RETURN NEW; END IF; IF NEW.cc_id IS NULL THEN insert into ccinfo.cc (cc_id, cc_number_first6, cc_number) values (DEFAULT, substr(NEW.cc_number,1,6), ccinfo.ccencrypt(NEW.cc_number)) returning cc_id INTO v_cc_id; NEW.cc_id := v_cc_id; ELSE update ccinfo.cc set cc_number_first6 = substr(NEW.cc_number,1,6), cc_number = ccinfo.ccencrypt(NEW.cc_number) where cc_id = NEW.cc_id; END IF; NEW.cc_number := NULL; RETURN NEW; END$$ LANGUAGE plpgsql SECURITY DEFINER; CREATE TRIGGER scrub_cc_info BEFORE INSERT OR UPDATE ON users FOR EACH ROW EXECUTE PROCEDURE scrub_cc_info(); 16
Requirement # 4 Encrypt transmission of cardholder data across open, public networks. “Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols can be continued targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments.” The traffic between datacenters is encrypted at the network layer (secure VPN, for example) The pg_hba.conf file allows administrators to specify which hosts can use non-encrypted connections (host) and which require SSL- encrypted connections (hostssl). Encrypt applicable data before insert into database 17
Requirement # 5 Use and regularly update anti-virus software or programs. “Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats.…” 18
Requirement # 6 Develop and maintain secure systems and applications. “All critical systems must have the most recently released, appropriate software patches to protect against exploitation and compromise of cardholder data by malicious individuals and malicious software.” •  Apply all new security patches within one month. •  PostgreSQL Security releases : http://www.postgresql.org/support/security.html 6.4 Follow change control procedures for all changes to system components. •  Documentation of impact •  Management sign-off for change •  Testing of operational functionality , results •  Rollback procedures 19
Requirement # 7 Restrict access to cardholder data by business need-to-know. •  PostgreSQL 8.4 provides column level permissions •  Use separate schema and revoke all permissions from schema •  Easy to revoke permissions on schema using PostgreSQL 9.0 schema level permissions feature •  Use Group Roles with NOLOGIN to avoid group login i.e “devs” •  Pg_hba.conf : Fine Grained Access Control 20
Requirement # 8 Assign a unique ID to each person with computer access. •  Assign unique ID for all users who have access to card holder data and systems related to it •  Ensure proper highly secure password policies in place for the systems storing credit card •  Use Two-factor authentication (for example, token devices, smart cards, biometrics, or public keys) authentication method. 21
Requirement # 9 Restrict physical access to cardholder data. “Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted…” 22
Requirement # 10 Track and monitor all access to network resources and cardholder data. •  Enable connection logging •  Use PostgreSQL Table Log PgFoundry tool to log any INSERTs, UPDATEs and DELETEs on a card holder table into another table. •  Enable Web Server access logs •  Setup monitor to find out suspicious access on PAN holding table •  Monitor postgresql logs for unsuccessful login attempts •  Data Analysis – Once a day or automated, Access Monitoring -Alerts •  Keep archive audit and log history for at least one year and for last 3 months ready available for analysis 23
Requirement # 11 Regularly test security systems and processes. “System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment. “ OmniTi Consulting can provide best practices around security policy, monitoring, and testing. 24
Requirement # 12 Maintain a policy that addresses information security. “A strong security policy sets the security tone for the whole company and informs employees what is expected of them. All employees should be aware of the sensitivity of data and their responsibilities for protecting it… “ Security = 80% of people and processes + 20% technology 25
Common Myths of PCI DSS •  Myth 1 – One vendor and product will make us compliant •  Myth 2 – Outsourcing card processing makes us compliant •  Myth 3 – PCI compliance is an IT project •  Myth 4 – PCI will make us secure •  Myth 5 – PCI is unreasonable; it requires too much •  Myth 6 – PCI requires us to hire a Qualified Security Assessor •  Myth 7 – We don’t take enough credit cards to be compliant •  Myth 8 – We completed a SAQ we’re compliant •  Myth 9 – PCI makes us store cardholder data •  Myth 10 – PCI is too hard 26
Solution 27
A payment processing solution : Paypi 28
Conclusion 29
References •  https://www.pcisecuritystandards.org/security_standards/ pci_dss_supporting_docs.shtml •  https://www.pcisecuritystandards.org/pdfs/ pciscc_ten_common_myths.pdf •  http://omniti.com/offers/paypi 30
Thanks •  PgWest Conference Committee •  OmniTi •  You!! We are hiring!! Apply @ l42.org/lg 31

Recomendados

Qnx os
Qnx os Qnx os
Qnx os
Student
 
Hpe Data Protector installation guide
Hpe Data Protector installation guideHpe Data Protector installation guide
Hpe Data Protector installation guide
Andrey Karpov
 
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community) [발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
동현 김
 
Linux
LinuxLinux
Linux
Gouthaman V
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
VeilFramework
 
I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)
I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)
I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)
Jaime Sánchez
 
SUSE shim and things related to it
SUSE shim and things related to itSUSE shim and things related to it
SUSE shim and things related to it
SUSE Labs Taipei
 
Linux Performance Tunning Memory
Linux Performance Tunning MemoryLinux Performance Tunning Memory
Linux Performance Tunning Memory
Shay Cohen
 

Recomendados

Qnx os
Qnx os Qnx os
Qnx os
Student
 
Hpe Data Protector installation guide
Hpe Data Protector installation guideHpe Data Protector installation guide
Hpe Data Protector installation guide
Andrey Karpov
 
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community) [발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
[발표자료] 오픈소스 Pacemaker 활용한 zabbix 이중화 방안(w/ Zabbix Korea Community)
동현 김
 
Linux
LinuxLinux
Linux
Gouthaman V
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
VeilFramework
 
I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)
I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)
I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)
Jaime Sánchez
 
SUSE shim and things related to it
SUSE shim and things related to itSUSE shim and things related to it
SUSE shim and things related to it
SUSE Labs Taipei
 
Linux Performance Tunning Memory
Linux Performance Tunning MemoryLinux Performance Tunning Memory
Linux Performance Tunning Memory
Shay Cohen
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat Security Conference
 
Linux : Booting and runlevels
Linux : Booting and runlevelsLinux : Booting and runlevels
Linux : Booting and runlevels
John Ombagi
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
enSilo
 
History of linux
History of linuxHistory of linux
History of linux
Shiwang Kalkhanda
 
Linux Boot Process
Linux Boot ProcessLinux Boot Process
Linux Boot Process
darshhingu
 
Docker para integradores Asterisk
Docker para integradores AsteriskDocker para integradores Asterisk
Docker para integradores Asterisk
OpenDireito
 
Comparison of OS
Comparison of OSComparison of OS
Comparison of OS
Jaswanth R
 
IBM Notes Traveler administration and Log troubleshooting tips
IBM Notes Traveler administration and Log troubleshooting tipsIBM Notes Traveler administration and Log troubleshooting tips
IBM Notes Traveler administration and Log troubleshooting tips
jayeshpar2006
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot images
Chris Simmonds
 
Signature verification of kernel module and kexec
Signature verification of kernel module and kexecSignature verification of kernel module and kexec
Signature verification of kernel module and kexec
joeylikernel
 
Install SSH Server on Windows 2008 R2
Install SSH Server on Windows 2008 R2Install SSH Server on Windows 2008 R2
Install SSH Server on Windows 2008 R2
VCP Muthukrishna
 
Linux Locking Mechanisms
Linux Locking MechanismsLinux Locking Mechanisms
Linux Locking Mechanisms
Kernel TLV
 
Linux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKBLinux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKB
shimosawa
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructions
Hisaki Ohara
 
Zusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehts
Zusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehtsZusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehts
Zusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehts
panagenda
 
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
Stefano Stabellini
 
Video Drivers
Video DriversVideo Drivers
Video Drivers
Anil Kumar Pugalia
 
Linux
LinuxLinux
Linux
maryamalmarrii
 
Linux Kernel Startup Code In Embedded Linux
Linux Kernel Startup Code In Embedded LinuxLinux Kernel Startup Code In Embedded Linux
Linux Kernel Startup Code In Embedded Linux
Emanuele Bonanni
 
Linux watchdog timer
Linux watchdog timerLinux watchdog timer
Linux watchdog timer
RajKumar Rampelli
 
Security Best Practices for your Postgres Deployment
Security Best Practices for your Postgres DeploymentSecurity Best Practices for your Postgres Deployment
Security Best Practices for your Postgres Deployment
PGConf APAC
 
Java Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel Urma
Java Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel UrmaJava Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel Urma
Java Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel Urma
JAXLondon_Conference
 

Más contenido relacionado

La actualidad más candente

BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat Security Conference
 
Install SSH Server on Windows 2008 R2
Install SSH Server on Windows 2008 R2Install SSH Server on Windows 2008 R2
Install SSH Server on Windows 2008 R2
VCP Muthukrishna
 
Zusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehts
Zusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehtsZusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehts
Zusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehts
panagenda
 
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
Stefano Stabellini
 
Linux Kernel Startup Code In Embedded Linux
Linux Kernel Startup Code In Embedded LinuxLinux Kernel Startup Code In Embedded Linux
Linux Kernel Startup Code In Embedded Linux
Emanuele Bonanni
 

La actualidad más candente (20)

BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
 
Linux : Booting and runlevels
Linux : Booting and runlevelsLinux : Booting and runlevels
Linux : Booting and runlevels
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
 
History of linux
History of linuxHistory of linux
History of linux
 
Linux Boot Process
Linux Boot ProcessLinux Boot Process
Linux Boot Process
 
Docker para integradores Asterisk
Docker para integradores AsteriskDocker para integradores Asterisk
Docker para integradores Asterisk
 
Comparison of OS
Comparison of OSComparison of OS
Comparison of OS
 
IBM Notes Traveler administration and Log troubleshooting tips
IBM Notes Traveler administration and Log troubleshooting tipsIBM Notes Traveler administration and Log troubleshooting tips
IBM Notes Traveler administration and Log troubleshooting tips
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot images
 
Signature verification of kernel module and kexec
Signature verification of kernel module and kexecSignature verification of kernel module and kexec
Signature verification of kernel module and kexec
 
Install SSH Server on Windows 2008 R2
Install SSH Server on Windows 2008 R2Install SSH Server on Windows 2008 R2
Install SSH Server on Windows 2008 R2
 
Linux Locking Mechanisms
Linux Locking MechanismsLinux Locking Mechanisms
Linux Locking Mechanisms
 
Linux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKBLinux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKB
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructions
 
Zusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehts
Zusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehtsZusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehts
Zusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehts
 
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
 
Video Drivers
Video DriversVideo Drivers
Video Drivers
 
Linux
LinuxLinux
Linux
 
Linux Kernel Startup Code In Embedded Linux
Linux Kernel Startup Code In Embedded LinuxLinux Kernel Startup Code In Embedded Linux
Linux Kernel Startup Code In Embedded Linux
 
Linux watchdog timer
Linux watchdog timerLinux watchdog timer
Linux watchdog timer
 

Destacado

Java Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel Urma
Java Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel UrmaJava Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel Urma
Java Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel Urma
JAXLondon_Conference
 
24/7 Monitoring and Alerting of PostgreSQL
24/7 Monitoring and Alerting of PostgreSQL24/7 Monitoring and Alerting of PostgreSQL
24/7 Monitoring and Alerting of PostgreSQL
InMobi Technology
 
Managing replication of PostgreSQL, Simon Riggs
Managing replication of PostgreSQL, Simon RiggsManaging replication of PostgreSQL, Simon Riggs
Managing replication of PostgreSQL, Simon Riggs
Fuenteovejuna
 

Destacado (20)

Security Best Practices for your Postgres Deployment
Security Best Practices for your Postgres DeploymentSecurity Best Practices for your Postgres Deployment
Security Best Practices for your Postgres Deployment
 
Java Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel Urma
Java Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel UrmaJava Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel Urma
Java Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel Urma
 
24/7 Monitoring and Alerting of PostgreSQL
24/7 Monitoring and Alerting of PostgreSQL24/7 Monitoring and Alerting of PostgreSQL
24/7 Monitoring and Alerting of PostgreSQL
 
PostgreSQL Portland Performance Practice Project - Database Test 2 Filesystem...
PostgreSQL Portland Performance Practice Project - Database Test 2 Filesystem...PostgreSQL Portland Performance Practice Project - Database Test 2 Filesystem...
PostgreSQL Portland Performance Practice Project - Database Test 2 Filesystem...
 
Secure PostgreSQL deployment
Secure PostgreSQL deploymentSecure PostgreSQL deployment
Secure PostgreSQL deployment
 
Microservices Past, Present, Future
Microservices Past, Present, FutureMicroservices Past, Present, Future
Microservices Past, Present, Future
 
Introduction to Vacuum Freezing and XID
Introduction to Vacuum Freezing and XIDIntroduction to Vacuum Freezing and XID
Introduction to Vacuum Freezing and XID
 
PostgreSQL: Past present Future
PostgreSQL: Past present FuturePostgreSQL: Past present Future
PostgreSQL: Past present Future
 
Postgres in Production - Best Practices 2014
Postgres in Production - Best Practices 2014Postgres in Production - Best Practices 2014
Postgres in Production - Best Practices 2014
 
pg_hba.conf 이야기
pg_hba.conf 이야기pg_hba.conf 이야기
pg_hba.conf 이야기
 
5 Steps to PostgreSQL Performance
5 Steps to PostgreSQL Performance5 Steps to PostgreSQL Performance
5 Steps to PostgreSQL Performance
 
Managing replication of PostgreSQL, Simon Riggs
Managing replication of PostgreSQL, Simon RiggsManaging replication of PostgreSQL, Simon Riggs
Managing replication of PostgreSQL, Simon Riggs
 
On The Building Of A PostgreSQL Cluster
On The Building Of A PostgreSQL ClusterOn The Building Of A PostgreSQL Cluster
On The Building Of A PostgreSQL Cluster
 
PostgreSQL Enterprise Class Features and Capabilities
PostgreSQL Enterprise Class Features and CapabilitiesPostgreSQL Enterprise Class Features and Capabilities
PostgreSQL Enterprise Class Features and Capabilities
 
Past, Present, and Future Analysis of the Architectural & Engineering Design ...
Past, Present, and Future Analysis of the Architectural & Engineering Design ...Past, Present, and Future Analysis of the Architectural & Engineering Design ...
Past, Present, and Future Analysis of the Architectural & Engineering Design ...
 
PgDay Asia 2016 - Security Best Practices for your Postgres Deployment
PgDay Asia 2016 - Security Best Practices for your Postgres DeploymentPgDay Asia 2016 - Security Best Practices for your Postgres Deployment
PgDay Asia 2016 - Security Best Practices for your Postgres Deployment
 
Lightening Talk - PostgreSQL Worst Practices
Lightening Talk - PostgreSQL Worst PracticesLightening Talk - PostgreSQL Worst Practices
Lightening Talk - PostgreSQL Worst Practices
 
Lessons PostgreSQL learned from commercial databases, and didn’t
Lessons PostgreSQL learned from commercial databases, and didn’tLessons PostgreSQL learned from commercial databases, and didn’t
Lessons PostgreSQL learned from commercial databases, and didn’t
 
PostgreSQL WAL for DBAs
PostgreSQL WAL for DBAs PostgreSQL WAL for DBAs
PostgreSQL WAL for DBAs
 
How to teach an elephant to rock'n'roll
How to teach an elephant to rock'n'rollHow to teach an elephant to rock'n'roll
How to teach an elephant to rock'n'roll
 

Similar a Achieving Pci Compliace

Application Security
Application SecurityApplication Security
Application Security
florinc
 
EPV_PCI DSS White Paper (3) Cyber Ark
EPV_PCI DSS White Paper (3) Cyber ArkEPV_PCI DSS White Paper (3) Cyber Ark
EPV_PCI DSS White Paper (3) Cyber Ark
Erni Susanti
 
PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsPostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
Faisal Akber
 
Will your cloud be compliant
Will your cloud be compliantWill your cloud be compliant
Will your cloud be compliant
Evgeniya Shumakher
 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB
 
Psdot 12 a secure erasure code-based cloud storage
Psdot 12 a secure erasure code-based cloud storagePsdot 12 a secure erasure code-based cloud storage
Psdot 12 a secure erasure code-based cloud storage
ZTech Proje
 

Similar a Achieving Pci Compliace (20)

Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Da...
Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Da...Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Da...
Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Da...
 
PostgreSQL Security. How Do We Think?
PostgreSQL Security. How Do We Think?PostgreSQL Security. How Do We Think?
PostgreSQL Security. How Do We Think?
 
Application Security
Application SecurityApplication Security
Application Security
 
PostgreSQL Security. How Do We Think? at PGCon 2017
PostgreSQL Security. How Do We Think? at PGCon 2017PostgreSQL Security. How Do We Think? at PGCon 2017
PostgreSQL Security. How Do We Think? at PGCon 2017
 
EPV_PCI DSS White Paper (3) Cyber Ark
EPV_PCI DSS White Paper (3) Cyber ArkEPV_PCI DSS White Paper (3) Cyber Ark
EPV_PCI DSS White Paper (3) Cyber Ark
 
Enterprise-class security with PostgreSQL - 1
Enterprise-class security with PostgreSQL - 1Enterprise-class security with PostgreSQL - 1
Enterprise-class security with PostgreSQL - 1
 
Percona Live 2021 - MongoDB Security Features
Percona Live 2021 - MongoDB Security FeaturesPercona Live 2021 - MongoDB Security Features
Percona Live 2021 - MongoDB Security Features
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
 
PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsPostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
 
Will your cloud be compliant
Will your cloud be compliantWill your cloud be compliant
Will your cloud be compliant
 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
 
IBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonIBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf Mattsson
 
IRJET- Survey of Cryptographic Techniques to Certify Sharing of Informati...
IRJET- Survey of Cryptographic Techniques to Certify Sharing of Informati...IRJET- Survey of Cryptographic Techniques to Certify Sharing of Informati...
IRJET- Survey of Cryptographic Techniques to Certify Sharing of Informati...
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
IRJET- Privacy Preserving Cloud Storage based on a Three Layer Security M...
IRJET- Privacy Preserving Cloud Storage based on a Three Layer Security M...IRJET- Privacy Preserving Cloud Storage based on a Three Layer Security M...
IRJET- Privacy Preserving Cloud Storage based on a Three Layer Security M...
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed Introduction
 
Bit taka bangladeshi country owned crypto currency
Bit taka bangladeshi country owned crypto currencyBit taka bangladeshi country owned crypto currency
Bit taka bangladeshi country owned crypto currency
 
Psdot 12 a secure erasure code-based cloud storage
Psdot 12 a secure erasure code-based cloud storagePsdot 12 a secure erasure code-based cloud storage
Psdot 12 a secure erasure code-based cloud storage
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in Cybersecurity
 

Más de Denish Patel

Advanced Postgres Monitoring
Advanced Postgres MonitoringAdvanced Postgres Monitoring
Advanced Postgres Monitoring
Denish Patel
 
Out of the Box Replication in Postgres 9.4(PgConfUS)
Out of the Box Replication in Postgres 9.4(PgConfUS)Out of the Box Replication in Postgres 9.4(PgConfUS)
Out of the Box Replication in Postgres 9.4(PgConfUS)
Denish Patel
 
Out of the Box Replication in Postgres 9.4(pgconfsf)
Out of the Box Replication in Postgres 9.4(pgconfsf)Out of the Box Replication in Postgres 9.4(pgconfsf)
Out of the Box Replication in Postgres 9.4(pgconfsf)
Denish Patel
 
Out of the Box Replication in Postgres 9.4(PgCon)
Out of the Box Replication in Postgres 9.4(PgCon)Out of the Box Replication in Postgres 9.4(PgCon)
Out of the Box Replication in Postgres 9.4(PgCon)
Denish Patel
 
Out of the Box Replication in Postgres 9.4(PgCon)
Out of the Box Replication in Postgres 9.4(PgCon)Out of the Box Replication in Postgres 9.4(PgCon)
Out of the Box Replication in Postgres 9.4(PgCon)
Denish Patel
 
Choosing the "D" , Lightning talk
Choosing the "D" , Lightning talkChoosing the "D" , Lightning talk
Choosing the "D" , Lightning talk
Denish Patel
 
Deploying postgre sql on amazon ec2
Deploying postgre sql on amazon ec2 Deploying postgre sql on amazon ec2
Deploying postgre sql on amazon ec2
Denish Patel
 
Deploying Maximum HA Architecture With PostgreSQL
Deploying Maximum HA Architecture With PostgreSQLDeploying Maximum HA Architecture With PostgreSQL
Deploying Maximum HA Architecture With PostgreSQL
Denish Patel
 
P90 X Your Database!!
P90 X Your Database!!P90 X Your Database!!
P90 X Your Database!!
Denish Patel
 
Oracle10g New Features I
Oracle10g New Features IOracle10g New Features I
Oracle10g New Features I
Denish Patel
 

Más de Denish Patel (18)

Advanced Postgres Monitoring
Advanced Postgres MonitoringAdvanced Postgres Monitoring
Advanced Postgres Monitoring
 
Out of the Box Replication in Postgres 9.4(PgConfUS)
Out of the Box Replication in Postgres 9.4(PgConfUS)Out of the Box Replication in Postgres 9.4(PgConfUS)
Out of the Box Replication in Postgres 9.4(PgConfUS)
 
Out of the box replication in postgres 9.4(pg confus)
Out of the box replication in postgres 9.4(pg confus)Out of the box replication in postgres 9.4(pg confus)
Out of the box replication in postgres 9.4(pg confus)
 
Out of the Box Replication in Postgres 9.4(pgconfsf)
Out of the Box Replication in Postgres 9.4(pgconfsf)Out of the Box Replication in Postgres 9.4(pgconfsf)
Out of the Box Replication in Postgres 9.4(pgconfsf)
 
Out of the Box Replication in Postgres 9.4(PgCon)
Out of the Box Replication in Postgres 9.4(PgCon)Out of the Box Replication in Postgres 9.4(PgCon)
Out of the Box Replication in Postgres 9.4(PgCon)
 
Out of the Box Replication in Postgres 9.4(PgCon)
Out of the Box Replication in Postgres 9.4(PgCon)Out of the Box Replication in Postgres 9.4(PgCon)
Out of the Box Replication in Postgres 9.4(PgCon)
 
Out of the box replication in postgres 9.4
Out of the box replication in postgres 9.4Out of the box replication in postgres 9.4
Out of the box replication in postgres 9.4
 
Postgres in Amazon RDS
Postgres in Amazon RDSPostgres in Amazon RDS
Postgres in Amazon RDS
 
Choosing the "D" , Lightning talk
Choosing the "D" , Lightning talkChoosing the "D" , Lightning talk
Choosing the "D" , Lightning talk
 
Scaling postgres
Scaling postgresScaling postgres
Scaling postgres
 
Deploying postgre sql on amazon ec2
Deploying postgre sql on amazon ec2 Deploying postgre sql on amazon ec2
Deploying postgre sql on amazon ec2
 
Two Elephants Inthe Room
Two Elephants Inthe RoomTwo Elephants Inthe Room
Two Elephants Inthe Room
 
Deploying Maximum HA Architecture With PostgreSQL
Deploying Maximum HA Architecture With PostgreSQLDeploying Maximum HA Architecture With PostgreSQL
Deploying Maximum HA Architecture With PostgreSQL
 
Deploying Maximum HA Architecture With PostgreSQL
Deploying Maximum HA Architecture With PostgreSQLDeploying Maximum HA Architecture With PostgreSQL
Deploying Maximum HA Architecture With PostgreSQL
 
P90 X Your Database!!
P90 X Your Database!!P90 X Your Database!!
P90 X Your Database!!
 
Using SQL Standards? Database SQL comparition
Using SQL Standards? Database SQL comparitionUsing SQL Standards? Database SQL comparition
Using SQL Standards? Database SQL comparition
 
Oracle10g New Features I
Oracle10g New Features IOracle10g New Features I
Oracle10g New Features I
 
Yet Another Replication Tool: RubyRep
Yet Another Replication Tool: RubyRepYet Another Replication Tool: RubyRep
Yet Another Replication Tool: RubyRep
 

Último

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Último (20)

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

Achieving Pci Compliace

  • 2. Who am I ? •  Denish Patel •  Database Architect •  Expertise in Oracle, PostgreSQL , MySQL •  Contact : denish@omniti.com •  Working with OmniTi for last 4 years •  Providing Solutions for business problems to deliver •  Scalability •  Reliability •  High Availability •  Consistency •  Security We are hiring!! Apply @ l42.org/lg 1
  • 3. Agendum •  PCI Introduction & requirements •  Identify requirements that apply to databases •  How to fulfill these requirements •  Common Myths •  How OmniTi PayPI solution can help you •  Knowledge sharing 2
  • 4. Introduction & History •  In an attempt to protect its cardholders from identity theft VISA introduced its Cardholder Information Security Program (CISP) in June 2001. •  PCI DSS is a result of the collaboration between all major credit card companies (including Visa, MasterCard, JCB, American Express, and Discover) that designed the PCI DSS to establish industry-wide security requirements. •  The Payment Card Industry (PCI) Data Security Standard (DSS) is a set of specific credit card holder protection regulations and guidance to combat identity theft. •  PCI DSS v1.1 introduced in Sept 2006. PCI DSS v1.2 effective after Dec 31st 2008 till Jan 10, 2011 •  PCI DSS Version 2 published on 28th Oct 2010 & effective after Jan 11, 2011 3
  • 5. PCI DSS Applicability •  If a Primary Account Number (PAN) is stored, processed, or transmitted. Data Element Storage Permitted Render data unreadable Card holder data Primary Account Number (PAN) Yes Yes (1) Cardholder Name Yes No Service Code Yes No Expiration Date Yes No Sensitive authentication data (2) Full Magnetic Stripe Data No N/A CAV2/CVC2/CVV2/CID No N/A PIN/PIN Block No N/A (1) PCI DSS requirements 3.3 and 3.4 apply only to PAN. (2) Sensitive authentication data must not be stored after authorization (even if encrypted). 4
  • 6. Why PostgreSQL? “By default PostgreSQL is probably the most security-aware database available” – David Litchfield (The Database Hackers Handbook) PostgreSQL offers encryption at several levels, and provides flexibility in protecting data from disclosure due to database server theft, unscrupulous administrators, and insecure networks. SE-PostgreSQL project SE-Linux will provide row level security features on the par with Oracle – Oracle Label Security and Virtual Private Database 5
  • 7. PCI DSS v2 : Objectives Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data Requirement 3: Protect stored cardholder data. Requirement 4: Encrypt transmission of cardholder data across open, public networks. Maintain Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software. Requirement 6: Develop and maintain secure systems and applications. Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know. Requirement 8: Assign a unique ID to each person with computer access. Requirement 9: Restrict physical access to cardholder data. 6
  • 8. PCI DSS v2 : Objectives Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data. Requirement 11: Regularly test security systems and processes. Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security. 7
  • 9. Requirement # 1 Install and maintain a firewall configuration to protect cardholder data. 8
  • 10. Requirement # 1 1.2 “Build a firewall configuration that denies all traffic from “untrusted” networks and hosts, except for protocols necessary for the cardholder data environment.” PostgreSQL helps to achieve this requirement: •  pg_hba.conf built-in security feature helps to deny or limit database access from IP address ranges that are deemed “untrusted.” •  log_connections settings helps to centralize database connection logs to be kept at centralized place 9
  • 11. Requirement # 2 Do not use vendor-supplied defaults for system passwords and other security parameters. •  Use a password for default “postgres” user •  Don’t allow trust authentication from any host/user/database in pg_hba.conf file. Not even from localhost and postgres user. •  Revoke remote login access on template1 and postgres default databases •  Grant limited permissions to monitoring user. •  Revoke objects privileges from PUBLIC •  Be careful about GRANTS •  Security Definer functions and Views are your friends 10
  • 12. Example: Monitoring User CREATE ROLE nagios WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN PASSWORD 'XXX’; ALTER ROLE nagios SET search_path TO check_postgres, pg_catalog; SET search_path to check_postgres; CREATE FUNCTION pg_ls_dir(text) RETURNS SETOF text AS $$begin return query(select pg_catalog.pg_ls_dir('pg_xlog')); end$$ LANGUAGE plpgsql SECURITY DEFINER; CREATE VIEW pg_stat_activity AS SELECT pg_stat_activity.datid, pg_stat_activity.datname,pg_stat_activity.procpid, pg_stat_activity.usesysid, pg_stat_activity.usename, pg_stat_activity.current_query, pg_stat_activity.waiting, pg_stat_activity.xact_start, pg_stat_activity.query_start, pg_stat_activity.backend_start, pg_stat_activity.client_addr, pg_stat_activity.client_port FROM pg_stat_activity() pg_stat_activity(datid, datname, procpid, usesysid, usename, current_query, waiting, xact_start, query_start, backend_start, client_addr, client_port); 11
  • 13. Requirement # 3 Protect stored cardholder data. “Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person…..” 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). 3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography (hash must be of the entire PAN) , Truncation (hashing cannot be used to replace the truncated segment of PAN) , Index tokens and pads (pads must be securely stored) Strong cryptography with associated key- management processes and procedures 12
  • 14. Requirement # 3 •  Use PostgreSQL pgcrypto Encryption for Card Data •  Never hash a card without a salt, and preferably use variable salts •  Don't use md5, use something better like AES or SHA-256 •  Column level Encryption using pgcrypto 13
  • 15. Example- Encrypt Card Holder Data CREATE ROLE ccuser WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN PASSWORD 'XX'; CREATE SCHEMA ccinfo; ALTER SCHEMA ccinfo OWNER TO ccuser; CREATE SEQUENCE cc_cc_id_seq INCREMENT BY 1 NO MAXVALUE NO MINVALUE CACHE 1; CREATE TABLE cc ( cc_id bigint DEFAULT nextval('cc_cc_id_seq'::regclass) NOT NULL, cc_number_first6 character(6) NOT NULL, cc_number text NOT NULL); CREATE TABLE ccsource ( source text NOT NULL); 14
  • 16. Example- Encrypt Card Holder Data SET search_path to ccinfo; CREATE FUNCTION ccencrypt(text) RETURNS text AS $_$ select encode(pgcrypto.encrypt(decode($1,'escape'), (select decode(source,'escape') from ccinfo.ccsource),'aes'),'escape');$_$ LANGUAGE sql IMMUTABLE STRICT; CREATE FUNCTION ccdecrypt(text) RETURNS text AS $_$ select encode(pgcrypto.decrypt(decode($1,'escape’), (select decode(source,'escape') from ccinfo.ccsource),'aes'),'escape');$_$ LANGUAGE sql IMMUTABLE STRICT; REVOKE ALL ON FUNCTION ccdecrypt(text) FROM PUBLIC; CREATE TABLE users ( user_id bigint, user_name text, cc_number text, CONSTRAINT users_cc_number_check CHECK ((cc_number IS NULL)),); 15
  • 17. Example- Encrypt Card Holder Data CREATE FUNCTION scrub_cc_info() RETURNS trigger AS $$DECLARE v_cc_id integer; BEGIN IF NEW.cc_number IS NULL THEN RETURN NEW; END IF; IF NEW.cc_id IS NULL THEN insert into ccinfo.cc (cc_id, cc_number_first6, cc_number) values (DEFAULT, substr(NEW.cc_number,1,6), ccinfo.ccencrypt(NEW.cc_number)) returning cc_id INTO v_cc_id; NEW.cc_id := v_cc_id; ELSE update ccinfo.cc set cc_number_first6 = substr(NEW.cc_number,1,6), cc_number = ccinfo.ccencrypt(NEW.cc_number) where cc_id = NEW.cc_id; END IF; NEW.cc_number := NULL; RETURN NEW; END$$ LANGUAGE plpgsql SECURITY DEFINER; CREATE TRIGGER scrub_cc_info BEFORE INSERT OR UPDATE ON users FOR EACH ROW EXECUTE PROCEDURE scrub_cc_info(); 16
  • 18. Requirement # 4 Encrypt transmission of cardholder data across open, public networks. “Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols can be continued targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments.” The traffic between datacenters is encrypted at the network layer (secure VPN, for example) The pg_hba.conf file allows administrators to specify which hosts can use non-encrypted connections (host) and which require SSL- encrypted connections (hostssl). Encrypt applicable data before insert into database 17
  • 19. Requirement # 5 Use and regularly update anti-virus software or programs. “Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats.…” 18
  • 20. Requirement # 6 Develop and maintain secure systems and applications. “All critical systems must have the most recently released, appropriate software patches to protect against exploitation and compromise of cardholder data by malicious individuals and malicious software.” •  Apply all new security patches within one month. •  PostgreSQL Security releases : http://www.postgresql.org/support/security.html 6.4 Follow change control procedures for all changes to system components. •  Documentation of impact •  Management sign-off for change •  Testing of operational functionality , results •  Rollback procedures 19
  • 21. Requirement # 7 Restrict access to cardholder data by business need-to-know. •  PostgreSQL 8.4 provides column level permissions •  Use separate schema and revoke all permissions from schema •  Easy to revoke permissions on schema using PostgreSQL 9.0 schema level permissions feature •  Use Group Roles with NOLOGIN to avoid group login i.e “devs” •  Pg_hba.conf : Fine Grained Access Control 20
  • 22. Requirement # 8 Assign a unique ID to each person with computer access. •  Assign unique ID for all users who have access to card holder data and systems related to it •  Ensure proper highly secure password policies in place for the systems storing credit card •  Use Two-factor authentication (for example, token devices, smart cards, biometrics, or public keys) authentication method. 21
  • 23. Requirement # 9 Restrict physical access to cardholder data. “Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted…” 22
  • 24. Requirement # 10 Track and monitor all access to network resources and cardholder data. •  Enable connection logging •  Use PostgreSQL Table Log PgFoundry tool to log any INSERTs, UPDATEs and DELETEs on a card holder table into another table. •  Enable Web Server access logs •  Setup monitor to find out suspicious access on PAN holding table •  Monitor postgresql logs for unsuccessful login attempts •  Data Analysis – Once a day or automated, Access Monitoring -Alerts •  Keep archive audit and log history for at least one year and for last 3 months ready available for analysis 23
  • 25. Requirement # 11 Regularly test security systems and processes. “System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment. “ OmniTi Consulting can provide best practices around security policy, monitoring, and testing. 24
  • 26. Requirement # 12 Maintain a policy that addresses information security. “A strong security policy sets the security tone for the whole company and informs employees what is expected of them. All employees should be aware of the sensitivity of data and their responsibilities for protecting it… “ Security = 80% of people and processes + 20% technology 25
  • 27. Common Myths of PCI DSS •  Myth 1 – One vendor and product will make us compliant •  Myth 2 – Outsourcing card processing makes us compliant •  Myth 3 – PCI compliance is an IT project •  Myth 4 – PCI will make us secure •  Myth 5 – PCI is unreasonable; it requires too much •  Myth 6 – PCI requires us to hire a Qualified Security Assessor •  Myth 7 – We don’t take enough credit cards to be compliant •  Myth 8 – We completed a SAQ we’re compliant •  Myth 9 – PCI makes us store cardholder data •  Myth 10 – PCI is too hard 26
  • 29. A payment processing solution : Paypi 28
  • 32. Thanks •  PgWest Conference Committee •  OmniTi •  You!! We are hiring!! Apply @ l42.org/lg 31