2010 user conference april 23 rd – 25 th, philadelphia, pa pci compliance & security presented...
TRANSCRIPT
2010 User ConferenceApril 23rd – 25th, Philadelphia, PA
PCI Compliance & Security
Presented By:
Kevin Smith & Mark Setzer
Stone Edge Technologies, Inc.
April 24, 2010 10:30 AM – 12:00 PM
2010 User ConferenceApril 23rd – 25th, Philadelphia, PA
PCI PA-DSS Compliance
The Stone Edge Order Manager Payment System
Presented By:
Kevin Smith
Senior Developer, Stone Edge Technologies, Inc.
April 24, 2010 10:30 AM – 12:00 PM
2010 User ConferenceApril 23rd – 25th, Philadelphia, PA
PA-DSS?• Payment Application – Data Security Standards
• Created & Enforced by PCI
• Maintained by PCI Security Standards Council
• Liability Concerns as a Merchant
• Impacts Applications Storing Cardholder Data
• Certification Needed for Gateway Access
• Deadlines!
2010 User ConferenceApril 23rd – 25th, Philadelphia, PA
Dilemma!• Is the Order Manager Certifiable?
– Security Concerns– Time & Cost of Certification– Versioning Considerations
• Questions– To Store or Not To Store– Long Term Issues and Liabilities– Third Party Integration Concerns
2010 User ConferenceApril 23rd – 25th, Philadelphia, PA
Management Decision• New Payment System
– Simplicity (KISS – OOPS!)– Limited Versioning– Data Isolation– Encryption Concerns– Code Centralization– Formalized Process Flow– Streamline Processor Integrations– Achieve Certification
2010 User ConferenceApril 23rd – 25th, Philadelphia, PA
Order Manager
Import
MOP
View Orders
Manual Orders
POS
OrderApproval
Pack & Ship
Data Action RulesCC
ProcEmail Payment Result
Gateway Code
CCProc
CCProc
CCProc
CCProc
CCProc
User Interface and/or Code
Data Action RulesEmail Payment Result
Data Action RulesEmail Payment Result
Data Action RulesEmail Payment Result
Data Action RulesEmail Payment Result
Data Action RulesEmail Payment Result
Data Action RulesEmail Payment Result
2010 User ConferenceApril 23rd – 25th, Philadelphia, PA
Order Manager
Import
MOP
View Orders
Manual Orders
POS
OrderApproval
Pack & Ship
CCProc
CCProc
CCProc
CCProc
CCProc
CCProc
Data Collection, Action, RulesResult Analysis, Record Payment, Email
Processor Code
RESULT
2010 User ConferenceApril 23rd – 25th, Philadelphia, PA
Impact On Your Operations• No Permanent Card Data Storage• Less Liability• Repeat Customers
– Card Data Tokenization– Gateway Customer Management Systems– Payment Data From Website
• Partial Shipments & Subscriptions• A Few Extra Clicks• New Interface
2010 User ConferenceApril 23rd – 25th, Philadelphia, PA
Added Features• Multiple Capture & Voice Auth Capture
• Blind Credit Support
• Additional Gateways
• Gift Card Support*
• PIN Pad Support
• Check Reader Support
• Encrypted Card Swipe Support
• Improved USB System
2010 User ConferenceApril 23rd – 25th, Philadelphia, PA
Security
Presented By:
Mark Setzer
Senior Developer, Stone Edge Technologies, Inc.
April 24, 2010 10:30 AM – 12:00 PM
2010 User ConferenceApril 23rd – 25th, Philadelphia, PA
Types of Security• Physical
– Physical access means game over from a security standpoint
• Network
– Assume attacks are inevitable
– Who needs access? To what?
• Application
– Microsoft Access, Order Manager, Microsoft SQL Server
2010 User ConferenceApril 23rd – 25th, Philadelphia, PA
Order Manager Security• Intended for basic reporting, logging,
task assignment
• Not “hard” security
2010 User ConferenceApril 23rd – 25th, Philadelphia, PA
Network Security• Hardware location
– Firewall rules
• Server administration
– Shared folders
– Active Directory
– Needed services
– Windows Updates
2010 User ConferenceApril 23rd – 25th, Philadelphia, PA
Application Security• Microsoft Access
• SQL Server
– Careful about “role” access
– Difficult to provide “basic” access w/o allowing destructive behavior as well