does your api need to be pci compliant?

Does Your API Need to be PCI Compliant?

Rapid API Workshop

Brian Pagano @brianpagano

Sco7 Metzger @sco7metzger

@brianpagano @sco7metzger

Mapping out your API Strategy

Pragma?c REST: API Design Fu

10 Pa7erns of Successful API Programs

API Metrics – What to Measure?

API Technology & Opera?ons

Your API Sucks!

Today: Does Your API Need to be PCI Compliant?

Next: Launching Your API and A7rac?ng Developers

Rapid API Workshop Webinar Series

•  Facts & Common Myths about PCI Compliance •  What does it mean to be PCI compliant when transac?ng via APIs?

•  How can Apigee enable you to be PCI compliant?

We Will Cover

What is it? •  The Payment Card Industry specifica?on is produced by a consor?um consis?ng of Visa, MasterCard, JCB, American Express, and Discover.

•  It describes the proper handling of credit card informa?on (during transac?ons and at rest).

PCI Fundamentals

What is it? •  Council originally formed in 2006. •  DSS (Data Security Standards) define 12 requirements for compliance.

PCI Fundamentals

What it isn’t? •  It is not an enforcement or policing organiza?on.

PCI Fundamentals

Then what does it do? •  The intent is to prevent merchants from having to write to mul?ple, proprietary standards.

•  Gives consumers confidence. •  Useful for audits.

PCI Fundamentals

•  So who should care about PCI?

PCI Fundamentals

•  Build and maintain a secure network •  Protect cardholder data •  Maintain a vulnerability management program •  Implement strong access control measures •  Regularly monitor and test networks •  Maintain an informa?on security policy

Main PCI Control Objec?ves

Build and maintain a secure network •  Install and maintain a firewall •  Do not use any default passwords

PCI Control Objec?ves

Protect Cardholder Data •  Protect stored data •  Encrypt transmission of data


Maintain a vulnerability management program •  Update an?-‐virus •  Develop secure applica?ons and systems


Implement strong access control measures •  Need-‐to-‐know access to cardholder data •  System access only via unique IDs •  Physical access controls


Regularly monitor and test networks •  Monitor network access •  Test systems, test processes


Maintain an informa?on security policy


•  A company must have an audit performed •  By a third party audi?ng firm •  From the Visa/Mastercard approved auditor list,

•  Which checks that the correct processes and technologies are in place.

What does it mean to be PCI Compliant?

Does my API need to be PCI compliant?

PCI Compliance

Can a sofware tool make me PCI compliant? •  No.

PCI Compliance

So, PCI is a specifica?on for (a) processes and (b) security measures to protect cardholder informa?on.

•  Apigee can help with the process. •  Apigee can help with the technology.

PCI & Apigee

•  The Apigee gateway provides a central loca?on for logging, policies, and security.

•  The gateway can perform data masking to log transac?ons without storing any sensi?ve informa?on. Also, feeds into log aggregators.

•  This centraliza?on helps with audi?ng and a7esta?ons.

PCI & Apigee: Process

•  The Apigee gateway contributes to defense in depth, protects backend systems, and strengthens network security.

•  Apigee provides a hosted solu?on that enables PCI compliance.

•  No product will make someone PCI compliant! •  Apigee enables and contributes to compliance.

PCI & Apigee: Technology

Mapping out your API Strategy

Pragma?c REST: API Design Fu

10 Pa7erns in Successful API Programs

Today: API Metrics – What to Measure?

API Technology & Opera?ons

Your API Sucks!

Does Your API Need to be PCI Compliant?

Next: Launching Your API and ADracEng Developers

Rapid API Workshop Webinar Series

THANKS! Send ques)ons, examples, and ideas to @apigee

Brian Pagano Sco7 Metzger [email protected] [email protected] @brianpagano @sco7metzger