does your api need to be pci compliant?
DESCRIPTION
Part 7 in our series of API Best Practices Webinars - on PCI COmpliance - by @brianpagano and @scottmetzger Need your APIs to bring in revenue? Soon you may want to take credit card orders from customers on smartphones, tablets and other connected devices. But first, make sure your customers and your business are protected. Know about industry regulations on data security, otherwise known as PCI DSS Compliance. In this webinar, Brian Pagano and Scott Metzger from Apigee discuss how to get compliant and meet the requirements of PCI DSS when transacting via APIs.TRANSCRIPT
Does Your API Need to be PCI Compliant?
Rapid API Workshop
Brian Pagano @brianpagano
Sco7 Metzger @sco7metzger
@brianpagano @sco7metzger
Mapping out your API Strategy
Pragma?c REST: API Design Fu
10 Pa7erns of Successful API Programs
API Metrics – What to Measure?
API Technology & Opera?ons
Your API Sucks!
Today: Does Your API Need to be PCI Compliant?
Next: Launching Your API and A7rac?ng Developers
Rapid API Workshop Webinar Series
• Facts & Common Myths about PCI Compliance • What does it mean to be PCI compliant when transac?ng via APIs?
• How can Apigee enable you to be PCI compliant?
We Will Cover
What is it? • The Payment Card Industry specifica?on is produced by a consor?um consis?ng of Visa, MasterCard, JCB, American Express, and Discover.
• It describes the proper handling of credit card informa?on (during transac?ons and at rest).
PCI Fundamentals
What is it? • Council originally formed in 2006. • DSS (Data Security Standards) define 12 requirements for compliance.
PCI Fundamentals
What it isn’t? • It is not an enforcement or policing organiza?on.
PCI Fundamentals
Then what does it do? • The intent is to prevent merchants from having to write to mul?ple, proprietary standards.
• Gives consumers confidence. • Useful for audits.
PCI Fundamentals
• So who should care about PCI?
PCI Fundamentals
• Build and maintain a secure network • Protect cardholder data • Maintain a vulnerability management program • Implement strong access control measures • Regularly monitor and test networks • Maintain an informa?on security policy
Main PCI Control Objec?ves
Build and maintain a secure network • Install and maintain a firewall • Do not use any default passwords
PCI Control Objec?ves
Protect Cardholder Data • Protect stored data • Encrypt transmission of data
PCI Control Objec?ves
Maintain a vulnerability management program • Update an?-‐virus • Develop secure applica?ons and systems
PCI Control Objec?ves
Implement strong access control measures • Need-‐to-‐know access to cardholder data • System access only via unique IDs • Physical access controls
PCI Control Objec?ves
Regularly monitor and test networks • Monitor network access • Test systems, test processes
PCI Control Objec?ves
Maintain an informa?on security policy
PCI Control Objec?ves
• A company must have an audit performed • By a third party audi?ng firm • From the Visa/Mastercard approved auditor list,
• Which checks that the correct processes and technologies are in place.
What does it mean to be PCI Compliant?
Does my API need to be PCI compliant?
PCI Compliance
Can a sofware tool make me PCI compliant? • No.
PCI Compliance
So, PCI is a specifica?on for (a) processes and (b) security measures to protect cardholder informa?on.
• Apigee can help with the process. • Apigee can help with the technology.
PCI & Apigee
• The Apigee gateway provides a central loca?on for logging, policies, and security.
• The gateway can perform data masking to log transac?ons without storing any sensi?ve informa?on. Also, feeds into log aggregators.
• This centraliza?on helps with audi?ng and a7esta?ons.
PCI & Apigee: Process
• The Apigee gateway contributes to defense in depth, protects backend systems, and strengthens network security.
• Apigee provides a hosted solu?on that enables PCI compliance.
• No product will make someone PCI compliant! • Apigee enables and contributes to compliance.
PCI & Apigee: Technology
Mapping out your API Strategy
Pragma?c REST: API Design Fu
10 Pa7erns in Successful API Programs
Today: API Metrics – What to Measure?
API Technology & Opera?ons
Your API Sucks!
Does Your API Need to be PCI Compliant?
Next: Launching Your API and ADracEng Developers
Rapid API Workshop Webinar Series
THANKS! Send ques)ons, examples, and ideas to @apigee
Brian Pagano Sco7 Metzger [email protected] [email protected] @brianpagano @sco7metzger