advanced plastic reception on the site, or debriefing PCI DSS
In connection with the launch of our new offspring - WebCreds Checkout Internet acquiring, there was a need to deal with the further development plan. And this plan with us included a simple thing: if you want to work with various security partners, or in different currencies, then you need to enter data about the card on our website. And only then we will deal with our fraud-processing to skip the transaction further or not. At the same time, this would allow us to offer recurring bills - automatic payments (for example, a monthly subscription fee).
Why is this topic still interesting for us? If you are the owner of an online store, or a large portal, or are responsible for converting visitors, then when paying, you transfer the payer to the page of the payment system, to a different design and environment, with ugly forms. This is bad for the conversion and so unhappy user. Having seen everything that happens on the payment page, the user often does not finish the payment, because he has just been on the store page, and was already ready to pay, but it turned out to be unclear where. The second purpose is the ability to select a supplier of process services, depending on the context, but with one payment page on your site.
Example: The card number of the card issuing country is encoded in the card number, so we can understand the processing of which country we are better to forward this transaction to deal with fraudulent transactions more confidently. Well, there are many such possible applications.
Disclaimer! I have great respect for international payment systems, their security requirements and their partners, I understand very well why these requirements are, as well as the commercial interest of all participants in the certification market.
')
So, what I learned in two weeks about this:
1) In order to enter bank card data on your website, your information system must comply with the requirements of the PCI DSS standard. Russian site dedicated to this case - http://www.pcidss.ru/
2) In order to receive a certificate of compliance with the standard, QSA auditors are appointed by the supervisory board of international payment systems in each country. Their lists are published, there are several such companies in Russia ( http://www.dsec.ru/ , http://www.infosec.ru/ - the most famous, but there are others). Since there are only a few organizations in the country that are certified for this standard, they have little bread, and they are engaged not only in auditing, but also consulting in this area, as well as in application security auditing in general, because from the first time it is almost impossible to pass the audit itself (I tell you as a person who had an IT Security audit every year at a previous job)
3) For small merchants with up to 30 thousand card transactions per year, a simplified audit is provided — antivirus scanning of the host and an external scan for vulnerabilities. Of course, 82 operations on the cards per day - 800 purchases per day on average is quite a lot :)) But who will argue with the Americans! If you have more than 30,000 card transactions per year, then you should go under the scalpel of the auditors.
4) The interest of auditors is to start advising you, so they will look for clues that would reduce your total score until you invite them to help you in building a brilliant system of data protection for payers. But the smart do wrong. Smart invite one auditor to advise at the time of development, system changes and preparation for the audit, and the second directly to the audit. Then you lock them in the office for meetings and they fight with each other there. Thus, having spent a lot of money in the most faithful and fast enough way, you will receive a certificate of compliance with the standard.
5) According to the results of the audit, the auditor sends to the payment system RoC - a compliance report. This report says how much percent you meet to each chapter of the requirements of the standard, and what measures you have taken to reduce and control the risk in case of incomplete compliance for each Key Control. Payment systems look at the report and happily tell you whether everything suits them. If everything is OK, then they send you a beautiful picture with a Certificate, which looks like this , for example , like our colleagues.
6) Everyone who is familiar with the audit of information security according to BS7799 or ISO-17799 standard understands what awaits them. In the standard file you will find a brief introduction, and further in the text Key Controls. It all looks like a sign in which the requirement is written, a brief explanation, then a field for marking the conformity of the inspected system, then the comments of the auditor.
7) The auditor arriving at the object passes through all the chapters, and there are 12 of them. And on the contrary, Key Control puts a check mark on each one. After the audit, he shows you this form and prepares a report. The report usually says that everything is very bad, or just bad. No recommendations on how to eliminate the shortcomings and so on, you naturally do not give, they are already for some money.
8) Actually, the audit itself is not as expensive as the implementation of the requirements is expensive (of course, the audit is also not worth a penny, for the Level 2 the amount will be at least 1,500,000 rubles). Therefore, we had an idea, why not just score on expensive toys? Those. We will be certified, but very carefully, for example, the rekkurent bilz will make it more expensive than working in general :) This can be fought off only by working actively on the adult market, and this is not our profile. And the less you store and process information, and the less functionality, the cheaper is the implementation of the requirements of the standard, and the audit itself, because auditing is less and less.
9) You can watch very interesting presentations on this subject at the following links:
FAQ
Pro penetration test
Some aspects of the standard requirements
Experience in achieving the requirements of a standard of one of the giants of Russian processing
I think with the text of the standard you will understand yourself. This is a very necessary thing for the Russian e-commerce, and the more people we know about it, the better.
With respect,
Ilya Abud
Why is this topic still interesting for us? If you are the owner of an online store, or a large portal, or are responsible for converting visitors, then when paying, you transfer the payer to the page of the payment system, to a different design and environment, with ugly forms. This is bad for the conversion and so unhappy user. Having seen everything that happens on the payment page, the user often does not finish the payment, because he has just been on the store page, and was already ready to pay, but it turned out to be unclear where. The second purpose is the ability to select a supplier of process services, depending on the context, but with one payment page on your site.
Example: The card number of the card issuing country is encoded in the card number, so we can understand the processing of which country we are better to forward this transaction to deal with fraudulent transactions more confidently. Well, there are many such possible applications.
Disclaimer! I have great respect for international payment systems, their security requirements and their partners, I understand very well why these requirements are, as well as the commercial interest of all participants in the certification market.
')
So, what I learned in two weeks about this:
1) In order to enter bank card data on your website, your information system must comply with the requirements of the PCI DSS standard. Russian site dedicated to this case - http://www.pcidss.ru/
2) In order to receive a certificate of compliance with the standard, QSA auditors are appointed by the supervisory board of international payment systems in each country. Their lists are published, there are several such companies in Russia ( http://www.dsec.ru/ , http://www.infosec.ru/ - the most famous, but there are others). Since there are only a few organizations in the country that are certified for this standard, they have little bread, and they are engaged not only in auditing, but also consulting in this area, as well as in application security auditing in general, because from the first time it is almost impossible to pass the audit itself (I tell you as a person who had an IT Security audit every year at a previous job)
3) For small merchants with up to 30 thousand card transactions per year, a simplified audit is provided — antivirus scanning of the host and an external scan for vulnerabilities. Of course, 82 operations on the cards per day - 800 purchases per day on average is quite a lot :)) But who will argue with the Americans! If you have more than 30,000 card transactions per year, then you should go under the scalpel of the auditors.
4) The interest of auditors is to start advising you, so they will look for clues that would reduce your total score until you invite them to help you in building a brilliant system of data protection for payers. But the smart do wrong. Smart invite one auditor to advise at the time of development, system changes and preparation for the audit, and the second directly to the audit. Then you lock them in the office for meetings and they fight with each other there. Thus, having spent a lot of money in the most faithful and fast enough way, you will receive a certificate of compliance with the standard.
5) According to the results of the audit, the auditor sends to the payment system RoC - a compliance report. This report says how much percent you meet to each chapter of the requirements of the standard, and what measures you have taken to reduce and control the risk in case of incomplete compliance for each Key Control. Payment systems look at the report and happily tell you whether everything suits them. If everything is OK, then they send you a beautiful picture with a Certificate, which looks like this , for example , like our colleagues.
6) Everyone who is familiar with the audit of information security according to BS7799 or ISO-17799 standard understands what awaits them. In the standard file you will find a brief introduction, and further in the text Key Controls. It all looks like a sign in which the requirement is written, a brief explanation, then a field for marking the conformity of the inspected system, then the comments of the auditor.
7) The auditor arriving at the object passes through all the chapters, and there are 12 of them. And on the contrary, Key Control puts a check mark on each one. After the audit, he shows you this form and prepares a report. The report usually says that everything is very bad, or just bad. No recommendations on how to eliminate the shortcomings and so on, you naturally do not give, they are already for some money.
8) Actually, the audit itself is not as expensive as the implementation of the requirements is expensive (of course, the audit is also not worth a penny, for the Level 2 the amount will be at least 1,500,000 rubles). Therefore, we had an idea, why not just score on expensive toys? Those. We will be certified, but very carefully, for example, the rekkurent bilz will make it more expensive than working in general :) This can be fought off only by working actively on the adult market, and this is not our profile. And the less you store and process information, and the less functionality, the cheaper is the implementation of the requirements of the standard, and the audit itself, because auditing is less and less.
9) You can watch very interesting presentations on this subject at the following links:
FAQ
Pro penetration test
Some aspects of the standard requirements
Experience in achieving the requirements of a standard of one of the giants of Russian processing
I think with the text of the standard you will understand yourself. This is a very necessary thing for the Russian e-commerce, and the more people we know about it, the better.
With respect,
Ilya Abud
Source: https://habr.com/ru/post/108428/
All Articles