Part 7 in our series of API Best Practices Webinars - on PCI COmpliance - by @brianpagano and @scottmetzger
Need your APIs to bring in revenue? Soon you may want to take credit card orders from customers on smartphones, tablets and other connected devices.
But first, make sure your customers and your business are protected. Know about industry regulations on data security, otherwise known as PCI DSS Compliance.
In this webinar, Brian Pagano and Scott Metzger from Apigee discuss how to get compliant and meet the requirements of PCI DSS when transacting via APIs.
3. Rapid API Workshop Webinar Series
Mapping
out
your
API
Strategy
Pragma?c
REST:
API
Design
Fu
10
Pa7erns
of
Successful
API
Programs
API
Metrics
–
What
to
Measure?
API
Technology
&
Opera?ons
Your
API
Sucks!
Today:
Does
Your
API
Need
to
be
PCI
Compliant?
Next:
Launching
Your
API
and
A7rac?ng
Developers
4. We
Will
Cover
• Facts
&
Common
Myths
about
PCI
Compliance
• What
does
it
mean
to
be
PCI
compliant
when
transac?ng
via
APIs?
• How
can
Apigee
enable
you
to
be
PCI
compliant?
5. PCI
Fundamentals
What
is
it?
• The
Payment
Card
Industry
specifica?on
is
produced
by
a
consor?um
consis?ng
of
Visa,
MasterCard,
JCB,
American
Express,
and
Discover.
• It
describes
the
proper
handling
of
credit
card
informa?on
(during
transac?ons
and
at
rest).
6. PCI
Fundamentals
What
is
it?
• Council
originally
formed
in
2006.
• DSS
(Data
Security
Standards)
define
12
requirements
for
compliance.
7. PCI
Fundamentals
What
it
isn’t?
• It
is
not
an
enforcement
or
policing
organiza?on.
8. PCI
Fundamentals
Then
what
does
it
do?
• The
intent
is
to
prevent
merchants
from
having
to
write
to
mul?ple,
proprietary
standards.
• Gives
consumers
confidence.
• Useful
for
audits.
10. Main
PCI
Control
Objec?ves
• Build
and
maintain
a
secure
network
• Protect
cardholder
data
• Maintain
a
vulnerability
management
program
• Implement
strong
access
control
measures
• Regularly
monitor
and
test
networks
• Maintain
an
informa?on
security
policy
11. PCI
Control
Objec?ves
Build
and
maintain
a
secure
network
• Install
and
maintain
a
firewall
• Do
not
use
any
default
passwords
12. PCI
Control
Objec?ves
Protect
Cardholder
Data
• Protect
stored
data
• Encrypt
transmission
of
data
13. PCI
Control
Objec?ves
Maintain
a
vulnerability
management
program
• Update
an?-‐virus
• Develop
secure
applica?ons
and
systems
14. PCI
Control
Objec?ves
Implement
strong
access
control
measures
• Need-‐to-‐know
access
to
cardholder
data
• System
access
only
via
unique
IDs
• Physical
access
controls
15. PCI
Control
Objec?ves
Regularly
monitor
and
test
networks
• Monitor
network
access
• Test
systems,
test
processes
17. What
does
it
mean
to
be
PCI
Compliant?
• A
company
must
have
an
audit
performed
• By
a
third
party
audi?ng
firm
• From
the
Visa/Mastercard
approved
auditor
list,
• Which
checks
that
the
correct
processes
and
technologies
are
in
place.
20. PCI
&
Apigee
So,
PCI
is
a
specifica?on
for
(a)
processes
and
(b)
security
measures
to
protect
cardholder
informa?on.
• Apigee
can
help
with
the
process.
• Apigee
can
help
with
the
technology.
21. PCI
&
Apigee:
Process
• The
Apigee
gateway
provides
a
central
loca?on
for
logging,
policies,
and
security.
• The
gateway
can
perform
data
masking
to
log
transac?ons
without
storing
any
sensi?ve
informa?on.
Also,
feeds
into
log
aggregators.
• This
centraliza?on
helps
with
audi?ng
and
a7esta?ons.
22. PCI
&
Apigee:
Technology
• The
Apigee
gateway
contributes
to
defense
in
depth,
protects
backend
systems,
and
strengthens
network
security.
• Apigee
provides
a
hosted
solu?on
that
enables
PCI
compliance.
• No
product
will
make
someone
PCI
compliant!
• Apigee
enables
and
contributes
to
compliance.
23. Rapid API Workshop Webinar Series
Mapping
out
your
API
Strategy
Pragma?c
REST:
API
Design
Fu
10
Pa7erns
in
Successful
API
Programs
Today:
API
Metrics
–
What
to
Measure?
API
Technology
&
Opera?ons
Your
API
Sucks!
Does
Your
API
Need
to
be
PCI
Compliant?
Next:
Launching
Your
API
and
ADracEng
Developers
24. THANKS!
Send
ques)ons,
examples,
and
ideas
to
@apigee
Brian
Pagano
Sco7
Metzger
bpagano@apigee.com
smetzger@apigee.com
@brianpagano
@sco7metzger