Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Agenda
q PCI Compliance Overview and Setup (LAB 1)
q PCI Compliance Scanning (LAB 2)
q PCI Compliance Reporting (LAB 3)
q Web Application Scanning for PCI
q Self Assessment Questionnaire (LAB 4)
q Qualys Policy Compliance (PC) (LAB 5)
PCI DSS BASICS
3. 1.
Report Assess
2.
Repair
1https://www.pcisecuritystandards.org/
PCI Stakeholders
Payment Brands – Defines Compliance Standards
Acquirer – Bank that verifies compliance
Approved Scanning Vendor – Required by PCI DSS for
performing PCI compliance scans
Scan Customer or Merchant – Responsible for defining
PCI scope and maintaining compliance with the PCI DSS.
PCI Security Standards Council
“The PCI Security Standards Council is a global forum for the ongoing
development, enhancement, storage, dissemination and
implementation of security standards for account data protection.”1
1https://www.pcisecuritystandards.org/
Role of the PCI SSC
Validated
Requirements
Requirements Recommendations
PCI
DSS
http://www.pcisecuritystandards.org
PCI DSS1
2. Do not use vendor
1. Install and maintain a 4. Encrypt transmission
supplied defaults for
secure firewall 3. Protect stored of cardholder data
system passwords and
configuration to protect cardholder data. across open, public
other security
cardholder data. networks
parameters.
https://www.pcisecuritystandards.org/document_library?category=pcidss&documen
t=pci_dss
Approved Scanning Vendor
**https://www.pcisecuritystandards.org/documents/asv_program_guide_v2.0.pdf
PCI SCOPE
**https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
Network Segmentation
**Source: https://www.pcisecuritystandards.org/documents/pci_dss_v3.pdf
QUALYS COVERAGE OF PCI DSS
• Current Vulnerabilities
Approval
Request Review
• Compliance Reports
Counter-signed Attestation
Navigation
Quick Answers
And Help
SAQ
Navigation
• View existing IP
addresses and
Domains.
• Add/Remove IPs
• View Out of
Scope IPs.
• Launch Discovery
Scan.
Getting started - IP Wizard
PCI COMPLIANCE SCANNING
Cloud Asset
Internal Scanner
QUALYS PLATFORM
• Strong Data Encryption
• Firewalls
• IDS
• TLS communications
Internal
Asset
External Scanner Pool
External
Asset
Qualys User
Corporate Environment
Appliances support Vulnerability Management, Policy Compliance, and Web Application Scanning
PCI DSS Requirement 11.2
Connect
and share • Open compliance Submit attestation
status page Counter-signed
Approval
Log in
• Scan
Submit to
Certified acquiring bank
report
PCI Network Scanning
Search for
IP
Filtering
Mechanisms
Vulnerabilities
Severity Level
Vulnerability Details
Compliance Scanning Objective
4. Submit
False
positives.
PCI COMPLIANCE
WITH
VULNERABILITY MANAGEMENT
Scan again to
Remediate the
verify those
“High”
vulnerabilities
Vulnerabilities
are fixed
Lab 2
View Vulnerabilities
Overall
Reports must be
submitted to your
5. Submit 3. False
acquiring bank on a Report for Positives
Attestation Process
Quarterly basis. 4.
Generate
Report
Reports – Reporting Wizard
• Merchant/Service
Provider will
submit report to
ASV.
• Generated
• Pending Review
• Attested
• Submitted
Submit to Bank
• Validates
Merchant
compliance.
• Report to Credit
Card companies.
DSS – Open Services
Section 1.1.6
Compliance Report
1 https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
Qualys WAS
Overview
WASC www.webappsec.org
divides Web vulnerabilities into
six categories
• Authentication
• Authorization
• Client-side Attacks
• Command Execution
• Information Disclosure
• Logical Attacks
Web Application Scanning
Introduction of Web Application Security
Testing a Web App for Vulnerabilities
Internal
Web Application Architecture
Application Database
Client
Browser
IE, FF, Web Server Application Legacy
Safari, iCab HTTP/H
Service
ec… TML
Application Merchant
Services,
etc
Qualys WAS Lifecycle
1. Define
the
Application
4. Report 2. Discovery
Scan
3.
Vulnerability
Scan
Qualys PCI
Web Application Setup
New Web applications are created in the ACCOUNT section of navigation pane.
Qualys PCI
Web Application Auth Record
Crawl via authenticated or non-authenticated user.
Best Practice: Test Web applications from the perspective of multiple user levels.
Qualys PCI
Web Application Scan
Qualys PCI
Web App Scan Results
View Scan results and report
SELF-ASSESSMENT QUESTIONNAIRE
Merchant Levels 2, 3, and 4 are eligible for the Security Assessment Questionnaire.
SAQ - A
training@qualys.com