SlideShare a Scribd company logo

Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Data with DataStax and Gazzang

Download as PPTX, PDF
DataStax
DataStax

Data security is an absolute requirement for any organization – large or small – that handles debit, credit and pre-paid cards. But navigating, understanding and complying with PCI-DSS (Payment Card Industry – Data Security Standards) regulations can be tough. In this webinar, we’ll examine the guidelines for securing payment card data and show you how a combined solution from DataStax and Gazzang can put you on course for compliance.

1 of 34
Don't Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Data with DataStax and Gazzang Pavan Venkatesh, Sr. Product Manager (DataStax) Sam Heywood, VP of Product & Marketing (Gazzang)
DataStax: An Overview • Founded in April 2010 • We drive Apache Cassandra™, the popular open-source NoSQL database • We provide DataStax Enterprise for enterprise NoSQL implementations • 400 customers • 200+ employees • Home to Apache Cassandra Chair & most committers • Headquartered in San Francisco Bay area • Funded by prominent venture firms 2
Gazzang: An Overview • Focus on securing sensitive data in cloud and big data environments • We help customers meet compliance requirements like HIPAA, PCI, FIPS and FERPA • Satisfy internal security mandates • Protect valuable client information • Headquartered in Austin, Texas
Today’s speakers Pavan Venkatesh, Senior Product Manager at DataStax Pavan oversees DataStax Enterprise and OpsCenter products. He has more than seven years of broad database and NoSQL experience. He also has a Master’s degree in Computer Science from Syracuse University. Sam Heywood, VP of Products and Marketing at Gazzang Sam drives Gazzang's global product innovation and delivery, corporate marketing and demand generation. A seasoned product and marketing executive with leadership experience at several notable technology startups, Sam is well versed in systems management, online CRM platforms, consumer ecommerce and security technologies. 4
Why DataStax? DataStax supports both the open source community and modern business enterprises. Open Source/Community Enterprise Software • Apache Cassandra (employ Cassandra chair and 90+% of the committers) • DataStax Community Edition • DataStax OpsCenter • DataStax DevCenter • DataStax Drivers/Connectors • Online Documentation • Online Training • Mailing lists and forums • DataStax Enterprise Edition • Certified Cassandra • Built-in Analytics • Built-in Enterprise Search • Enterprise Security • DataStax OpsCenter • Expert Support • Consultative Help • Professional Training 5
What is Apache Cassandra? • Masterless architecture with read/write anywhere design. • Continuous availability with no single point of failure. • Gold standard in multi-datacenter and cloud availability zone support. • Flexible data model perfect for time series and other data. • Linear scale performance with online capacity expansion. • Security with authentication and authorization. • Operationally simple. • CQL – SQL-like language. 100,000 txns/sec 200,000 txns/sec 6 400,000 txns/sec
Analyze your hot data • HDFS storage replaced with Cassandra (Cassandra File System – CFS) • No single points of failure as in Apache Hadoop distribution • MapReduce, Hive, Pig, Sqoop, and Mahout support • Hadoop task tracker started on all nodes • Able to create multiple CFSs across multiple data centers to segregate Hadoop data and tasks • Can create multiple job trackers – one for each data center 7
Search your hot data • Built on Cassandra • Automatic sharing via Cassandra replication • Very fast performance • Search indexes can span multiple data centers (regular Solr cannot) • Provides data durability (overcomes Solr’s lack of write-ahead log - if community Solr node goes down, data can be lost) • Online scalability via adding new nodes • Built-in failover; continuously available • Overcomes Solr write bottleneck – can read/write to any Solr node • CQL extended to support Solr/search queries 8
Cassandra/DataStax Users: A Sample 9
Why securing data is important ‘Twas the season to be hacked... The average cost of cybercrime hacking, phishing, Internet fraud, corporate security breach to U.S. organizations is nearly $12 million per year. Attacks get more sophisticated and traditional protections such as firewalls and antivirus are no longer sufficient.
What is PCI-DSS? • The Payment Card Industry (PCI) Data Security Standard (DSS) was developed ten years ago to enhance cardholder data security. • The PCI-DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB). • This council was formed to prevent such identity thefts as described previously. 11
PCI - Who & Why? • Entities (merchants) involved in payment card processing (debit, credit, pre-paid etc.) have to comply with PCI-DSS standards to help avoid any data breach. • Compliance with PCI-DSS means that the payment card information (data) is very secure and customers can trust with their sensitive information. 12
PCI & Database Entities (Merchants) expect the underlying database to be in compliance with PCI-DSS as this sensitive data will eventually be stored in the data store. 13
Storage and access to digital, not physical data 1. Install and maintain a firewall 2. Do not use vendor-supplied defaults for passwords; develop configuration standards 3. Protect stored data 4. Encrypt transmission of cardholder data across public networks 5. Use and regularly update antivirus software 6. Develop and maintain secure systems and applications 7. Restrict access to data by business and need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Test systems regularly to ensure security is maintained over time and through changes 12. Maintain an information security policy 14
15
PCI GUIDELINE #2 Do not use vendor supplied defaults 2.1 Always change vendorsupplied defaults and remove or disable unnecessary default accounts before installing a system on the network. 2.2 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. DataStax Enterprise recommends you change the default password 16
PCI GUIDELINE #3 Protect stored cardholder data 3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes 3.2 Do not store sensitive authentication data after authorization (even if encrypted) 3.3 Mask primary account number (PAN) when displayed (the first six and last four digits are the maximum number of digits to be displayed) 3.5 Protect any keys used to secure cardholder data against disclosure and misuse 3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography (hash must be of the entire PAN); Truncation …….. 3.6 Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data 17
WHAT’S NEW In PCI Guideline 3.0? • Subcontrol 3.5.1 covers restricting access to keys to the minimum possible number of people • Subcontrol 3.5.3 requires that keys are stored in as few places as possible • Subcontrols under 3.6 mandate that best practices are followed when replacing keys when they reach the end of their life or are compromised, and that those entrusted with managing keys understand and accept their responsibilities. 18
- Verizon 2014 PCI Compliance Report: An inside look at the business need for protecting payment card information. 19
HOW WE DO IT Transparent data encryption and key management • Protects sensitive data at rest from theft • No changes needed at application level • Keys are encrypted and secured in a software-based vault and wrapped with several policy layers that prevent unauthorized access 20
IN PRACTICE • Encrypt PAN numbers and customer PII for a mobile egifting platform • Protect credit card data and PHI for global health insurance company
PCI GUIDELINE #4 Encrypt transmission of cardholder data across public networks 4.1 Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC. SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including the following: • Only trusted keys and certificates are accepted • The protocol in use only supports secure versions or configurations • The encryption strength is appropriate for the encryption methodology in use 4.2 Never send unprotected PANs by end-user messaging technologies such as email, instant messaging or chat 22
HOW WE DO IT Client-to-Node and Node-to-Node Encryption • DSE protects data in flight from client machines to a database cluster  Ensures data cannot be captured/stolen in route to a server  Establishes a secure channel between the client and the coordinating node • DSE protects data transferred between nodes in a cluster using SSL • SSL keys are secured and managed to ensure only trusted processes can transmit data over the network 23
PCI GUIDELINE #7 Restrict access to data by business and need-to-know 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access 7.2 Establish an access control system for system components with multiple users that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed 24
HOW WE DO IT Internal Authentication • DataStax offers internal authentication using login accounts and passwords for Cassandra and Kerberos authentication for Cassandra, Hadoop and Solr • Provides granular based control over who can add/change/delete/read data • Grants or revokes permissions to access Cassandra data 25
HOW WE DO IT Access Controls • Gazzang offers process-based access controls determine which processes can access encrypted cardholder data  Only authorized database accounts with assigned database rights connecting from applications on approved network clients can access cardholder data stored on a server.  OS users that do not have a business need to read the data can be prevented from accessing it • Key release policies provide additional means of preventing unauthorized access 26
PCI GUIDELINE #8 Assign unique IDs for access 8.1 Provide each user with an ID that is unique and cannot be shared with anyone 8.2 Identify and authenticate access to system components
HOW WE DO IT Single Sign-On and Super Users • DSE offers external authentication through Kerberos to provide single sign on capability. • DSE also allows super user creation and can authorize other users. 28
PCI GUIDELINE #10 Track and monitor all access to network resources and cardholder data 10.3 Record audit trail entries for all system components for each event
HOW WE DO IT Data Auditing Control • DSE supports data auditing and is being implemented as a log4j-based integration • Granular control to audit only what’s needed 30
PCI Summary • The PCI-DSS is a set of comprehensive requirements for securing payment data. • Complying with PCI ensures the payment card information (sensitive data) is very secure, and customers can trust the complying organization with their sensitive payment card information. • This process can avoid any data breach or hack. • Ensures best practices for the entire infrastructure through access control policies, reporting and monitoring. 31
DataStax in conjunction with Gazzang provides comprehensive features for securing sensitive information stored in the Cassandra database and helps organizations comply with PCI-DSS requirements. 32
Next steps • Links to webinar recording and white paper coming to your inbox soon • Learn more about DataStax Enterprise (DSE):http://www.datastax.com/what-we-offer/productsservices/datastax-enterprise/advantages - navtop • DSE Security: http://www.datastax.com/documentation/datastax_enterprise/3.2/datastax_ enterprise/sec/secDSE.html • Request a demo of Gazzang+DataStax Enterprise: http://www.gazzang.com/products/zncrypt/datastaxenterprise 33
Thank you – Questions? We power the big data apps that transform business.

More Related Content

Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Data with DataStax and Gazzang

  • 1. Don't Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Data with DataStax and Gazzang Pavan Venkatesh, Sr. Product Manager (DataStax) Sam Heywood, VP of Product & Marketing (Gazzang)
  • 2. DataStax: An Overview • Founded in April 2010 • We drive Apache Cassandra™, the popular open-source NoSQL database • We provide DataStax Enterprise for enterprise NoSQL implementations • 400 customers • 200+ employees • Home to Apache Cassandra Chair & most committers • Headquartered in San Francisco Bay area • Funded by prominent venture firms 2
  • 3. Gazzang: An Overview • Focus on securing sensitive data in cloud and big data environments • We help customers meet compliance requirements like HIPAA, PCI, FIPS and FERPA • Satisfy internal security mandates • Protect valuable client information • Headquartered in Austin, Texas
  • 4. Today’s speakers Pavan Venkatesh, Senior Product Manager at DataStax Pavan oversees DataStax Enterprise and OpsCenter products. He has more than seven years of broad database and NoSQL experience. He also has a Master’s degree in Computer Science from Syracuse University. Sam Heywood, VP of Products and Marketing at Gazzang Sam drives Gazzang's global product innovation and delivery, corporate marketing and demand generation. A seasoned product and marketing executive with leadership experience at several notable technology startups, Sam is well versed in systems management, online CRM platforms, consumer ecommerce and security technologies. 4
  • 5. Why DataStax? DataStax supports both the open source community and modern business enterprises. Open Source/Community Enterprise Software • Apache Cassandra (employ Cassandra chair and 90+% of the committers) • DataStax Community Edition • DataStax OpsCenter • DataStax DevCenter • DataStax Drivers/Connectors • Online Documentation • Online Training • Mailing lists and forums • DataStax Enterprise Edition • Certified Cassandra • Built-in Analytics • Built-in Enterprise Search • Enterprise Security • DataStax OpsCenter • Expert Support • Consultative Help • Professional Training 5
  • 6. What is Apache Cassandra? • Masterless architecture with read/write anywhere design. • Continuous availability with no single point of failure. • Gold standard in multi-datacenter and cloud availability zone support. • Flexible data model perfect for time series and other data. • Linear scale performance with online capacity expansion. • Security with authentication and authorization. • Operationally simple. • CQL – SQL-like language. 100,000 txns/sec 200,000 txns/sec 6 400,000 txns/sec
  • 7. Analyze your hot data • HDFS storage replaced with Cassandra (Cassandra File System – CFS) • No single points of failure as in Apache Hadoop distribution • MapReduce, Hive, Pig, Sqoop, and Mahout support • Hadoop task tracker started on all nodes • Able to create multiple CFSs across multiple data centers to segregate Hadoop data and tasks • Can create multiple job trackers – one for each data center 7
  • 8. Search your hot data • Built on Cassandra • Automatic sharing via Cassandra replication • Very fast performance • Search indexes can span multiple data centers (regular Solr cannot) • Provides data durability (overcomes Solr’s lack of write-ahead log - if community Solr node goes down, data can be lost) • Online scalability via adding new nodes • Built-in failover; continuously available • Overcomes Solr write bottleneck – can read/write to any Solr node • CQL extended to support Solr/search queries 8
  • 10. Why securing data is important ‘Twas the season to be hacked... The average cost of cybercrime hacking, phishing, Internet fraud, corporate security breach to U.S. organizations is nearly $12 million per year. Attacks get more sophisticated and traditional protections such as firewalls and antivirus are no longer sufficient.
  • 11. What is PCI-DSS? • The Payment Card Industry (PCI) Data Security Standard (DSS) was developed ten years ago to enhance cardholder data security. • The PCI-DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB). • This council was formed to prevent such identity thefts as described previously. 11
  • 12. PCI - Who & Why? • Entities (merchants) involved in payment card processing (debit, credit, pre-paid etc.) have to comply with PCI-DSS standards to help avoid any data breach. • Compliance with PCI-DSS means that the payment card information (data) is very secure and customers can trust with their sensitive information. 12
  • 13. PCI & Database Entities (Merchants) expect the underlying database to be in compliance with PCI-DSS as this sensitive data will eventually be stored in the data store. 13
  • 14. Storage and access to digital, not physical data 1. Install and maintain a firewall 2. Do not use vendor-supplied defaults for passwords; develop configuration standards 3. Protect stored data 4. Encrypt transmission of cardholder data across public networks 5. Use and regularly update antivirus software 6. Develop and maintain secure systems and applications 7. Restrict access to data by business and need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Test systems regularly to ensure security is maintained over time and through changes 12. Maintain an information security policy 14
  • 15. 15
  • 16. PCI GUIDELINE #2 Do not use vendor supplied defaults 2.1 Always change vendorsupplied defaults and remove or disable unnecessary default accounts before installing a system on the network. 2.2 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. DataStax Enterprise recommends you change the default password 16
  • 17. PCI GUIDELINE #3 Protect stored cardholder data 3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes 3.2 Do not store sensitive authentication data after authorization (even if encrypted) 3.3 Mask primary account number (PAN) when displayed (the first six and last four digits are the maximum number of digits to be displayed) 3.5 Protect any keys used to secure cardholder data against disclosure and misuse 3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography (hash must be of the entire PAN); Truncation …….. 3.6 Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data 17
  • 18. WHAT’S NEW In PCI Guideline 3.0? • Subcontrol 3.5.1 covers restricting access to keys to the minimum possible number of people • Subcontrol 3.5.3 requires that keys are stored in as few places as possible • Subcontrols under 3.6 mandate that best practices are followed when replacing keys when they reach the end of their life or are compromised, and that those entrusted with managing keys understand and accept their responsibilities. 18
  • 19. - Verizon 2014 PCI Compliance Report: An inside look at the business need for protecting payment card information. 19
  • 20. HOW WE DO IT Transparent data encryption and key management • Protects sensitive data at rest from theft • No changes needed at application level • Keys are encrypted and secured in a software-based vault and wrapped with several policy layers that prevent unauthorized access 20
  • 21. IN PRACTICE • Encrypt PAN numbers and customer PII for a mobile egifting platform • Protect credit card data and PHI for global health insurance company
  • 22. PCI GUIDELINE #4 Encrypt transmission of cardholder data across public networks 4.1 Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC. SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including the following: • Only trusted keys and certificates are accepted • The protocol in use only supports secure versions or configurations • The encryption strength is appropriate for the encryption methodology in use 4.2 Never send unprotected PANs by end-user messaging technologies such as email, instant messaging or chat 22
  • 23. HOW WE DO IT Client-to-Node and Node-to-Node Encryption • DSE protects data in flight from client machines to a database cluster  Ensures data cannot be captured/stolen in route to a server  Establishes a secure channel between the client and the coordinating node • DSE protects data transferred between nodes in a cluster using SSL • SSL keys are secured and managed to ensure only trusted processes can transmit data over the network 23
  • 24. PCI GUIDELINE #7 Restrict access to data by business and need-to-know 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access 7.2 Establish an access control system for system components with multiple users that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed 24
  • 25. HOW WE DO IT Internal Authentication • DataStax offers internal authentication using login accounts and passwords for Cassandra and Kerberos authentication for Cassandra, Hadoop and Solr • Provides granular based control over who can add/change/delete/read data • Grants or revokes permissions to access Cassandra data 25
  • 26. HOW WE DO IT Access Controls • Gazzang offers process-based access controls determine which processes can access encrypted cardholder data  Only authorized database accounts with assigned database rights connecting from applications on approved network clients can access cardholder data stored on a server.  OS users that do not have a business need to read the data can be prevented from accessing it • Key release policies provide additional means of preventing unauthorized access 26
  • 27. PCI GUIDELINE #8 Assign unique IDs for access 8.1 Provide each user with an ID that is unique and cannot be shared with anyone 8.2 Identify and authenticate access to system components
  • 28. HOW WE DO IT Single Sign-On and Super Users • DSE offers external authentication through Kerberos to provide single sign on capability. • DSE also allows super user creation and can authorize other users. 28
  • 29. PCI GUIDELINE #10 Track and monitor all access to network resources and cardholder data 10.3 Record audit trail entries for all system components for each event
  • 30. HOW WE DO IT Data Auditing Control • DSE supports data auditing and is being implemented as a log4j-based integration • Granular control to audit only what’s needed 30
  • 31. PCI Summary • The PCI-DSS is a set of comprehensive requirements for securing payment data. • Complying with PCI ensures the payment card information (sensitive data) is very secure, and customers can trust the complying organization with their sensitive payment card information. • This process can avoid any data breach or hack. • Ensures best practices for the entire infrastructure through access control policies, reporting and monitoring. 31
  • 32. DataStax in conjunction with Gazzang provides comprehensive features for securing sensitive information stored in the Cassandra database and helps organizations comply with PCI-DSS requirements. 32
  • 33. Next steps • Links to webinar recording and white paper coming to your inbox soon • Learn more about DataStax Enterprise (DSE):http://www.datastax.com/what-we-offer/productsservices/datastax-enterprise/advantages - navtop • DSE Security: http://www.datastax.com/documentation/datastax_enterprise/3.2/datastax_ enterprise/sec/secDSE.html • Request a demo of Gazzang+DataStax Enterprise: http://www.gazzang.com/products/zncrypt/datastaxenterprise 33
  • 34. Thank you – Questions? We power the big data apps that transform business.

Editor's Notes

  1. As mentioned previously,PCI-DSS comprises 12 categories of regulations. Those in bold below deal directly with storage and access to digital, not physical data. PCI-DSS requires organizations to dispose of sensitive authentication data immediatelyfollowing a transaction. Because this data is never stored, this section will focus on PCI Requirements 2, 3, 4 and 7 which deal with cardholder data as it is transferred over the networkand retained in a database.
  2. Guideline #3 is one of the most critical guidelines out there. (true/false?) Here you see the variety of sub-guidelines related to Guideline #3 that deal with data obfuscation, network encryption and data access.
  3. Many of the changes introduced to Requirement 3 in DSS 3.0 involve improving the management of encryption keys.
  4. DSE and Gazzang offer transparent data encryptionthat secures cardholder data against disclosure and misuse.GazzangzNcrypt™ brings transparent data encryption to DataStax Enterprise, enabling customers to secure sensitive cardholder data including names, PANs, expiration dates and other associated personally identifiable information.
  5. Cashstar develops customer rewards programs for some of the largest retail brands in the world including Best Buy, Starbucks and GAP. Their e-gifting platform enables people to send personalized gift cards to anyone in the world. Each gift card comes with a unique Primary Account Number (PAN) that is stored in a database and encrypted by Gazzang in a manner that complies with PCI sections 3 and 7.That means that in addition to strong AES-256 data encryption, Cashstar manages the keys separate from the encrypted data and sets data retrieval access policies based on business need to know. 
  6. Section 7 of PCI-DSS requires that a company restrict access to cardholder data based on a user’s “need to know.” For data stored in DataStax Enterprise, this means only the authorized database accountswith assigned database rights connecting from applications on approved network clients should be able access cardholder data stored on a server. Operating system users, databaseand cloud administrators and other unauthorized parties should never have access to secure cardholder data.