Download - Does your API need to be PCI Compliant?
Does Your API Need to be PCI Compliant?
Rapid API Workshop
Brian Pagano @brianpagano
Sco7 Metzger @sco7metzger
@brianpagano @sco7metzger
Mapping out your API Strategy
Pragma?c REST: API Design Fu
10 Pa7erns of Successful API Programs
API Metrics – What to Measure?
API Technology & Opera?ons
Your API Sucks!
Today: Does Your API Need to be PCI Compliant?
Next: Launching Your API and A7rac?ng Developers
Rapid API Workshop Webinar Series
• Facts & Common Myths about PCI Compliance • What does it mean to be PCI compliant when transac?ng via APIs?
• How can Apigee enable you to be PCI compliant?
We Will Cover
What is it? • The Payment Card Industry specifica?on is produced by a consor?um consis?ng of Visa, MasterCard, JCB, American Express, and Discover.
• It describes the proper handling of credit card informa?on (during transac?ons and at rest).
PCI Fundamentals
What is it? • Council originally formed in 2006. • DSS (Data Security Standards) define 12 requirements for compliance.
PCI Fundamentals
What it isn’t? • It is not an enforcement or policing organiza?on.
PCI Fundamentals
Then what does it do? • The intent is to prevent merchants from having to write to mul?ple, proprietary standards.
• Gives consumers confidence. • Useful for audits.
PCI Fundamentals
• So who should care about PCI?
PCI Fundamentals
• Build and maintain a secure network • Protect cardholder data • Maintain a vulnerability management program • Implement strong access control measures • Regularly monitor and test networks • Maintain an informa?on security policy
Main PCI Control Objec?ves
Build and maintain a secure network • Install and maintain a firewall • Do not use any default passwords
PCI Control Objec?ves
Protect Cardholder Data • Protect stored data • Encrypt transmission of data
PCI Control Objec?ves
Maintain a vulnerability management program • Update an?-‐virus • Develop secure applica?ons and systems
PCI Control Objec?ves
Implement strong access control measures • Need-‐to-‐know access to cardholder data • System access only via unique IDs • Physical access controls
PCI Control Objec?ves
Regularly monitor and test networks • Monitor network access • Test systems, test processes
PCI Control Objec?ves
Maintain an informa?on security policy
PCI Control Objec?ves
• A company must have an audit performed • By a third party audi?ng firm • From the Visa/Mastercard approved auditor list,
• Which checks that the correct processes and technologies are in place.
What does it mean to be PCI Compliant?
Does my API need to be PCI compliant?
PCI Compliance
Can a sofware tool make me PCI compliant? • No.
PCI Compliance
So, PCI is a specifica?on for (a) processes and (b) security measures to protect cardholder informa?on.
• Apigee can help with the process. • Apigee can help with the technology.
PCI & Apigee
• The Apigee gateway provides a central loca?on for logging, policies, and security.
• The gateway can perform data masking to log transac?ons without storing any sensi?ve informa?on. Also, feeds into log aggregators.
• This centraliza?on helps with audi?ng and a7esta?ons.
PCI & Apigee: Process
• The Apigee gateway contributes to defense in depth, protects backend systems, and strengthens network security.
• Apigee provides a hosted solu?on that enables PCI compliance.
• No product will make someone PCI compliant! • Apigee enables and contributes to compliance.
PCI & Apigee: Technology
Mapping out your API Strategy
Pragma?c REST: API Design Fu
10 Pa7erns in Successful API Programs
Today: API Metrics – What to Measure?
API Technology & Opera?ons
Your API Sucks!
Does Your API Need to be PCI Compliant?
Next: Launching Your API and ADracEng Developers
Rapid API Workshop Webinar Series
THANKS! Send ques)ons, examples, and ideas to @apigee
Brian Pagano Sco7 Metzger [email protected] [email protected] @brianpagano @sco7metzger
