OpenFreeway PA-DSS Scoping

From FreeWay

Jump to: navigation, search

The PA-DSS is a payment application process standard brought by the PCI (Payment Card Industry) Security Standards Council. This standard is largely based on Visa's existing PABD (Payment Application Best Practices) i.e. the well known PCI-DSS standard.

The purpose of the standard is to help organizations prevent credit card fraud, hacking or any other security vulnerabilities and threats related to credit card payments. These are the works we are undertaking to reach PA-DSS compliance for Open Freeway.

To Do List

  • Create a matrix of minimum specifications for Apache, PHP, MySQL and operating system.
  • Create a test lab to simulate a potentially certifiable production system. Concentrate on combining a series of virtualized environments for firewall, web/application server and database server with the firewall creating two virtual firewalls protecting the web server and the database server.
  • Describe cron job for automated log transfer to central server.
  • Arrange 3rd party to manage automated vulnerability management testing.
  • Review OWASP development guidelines; implement and document processes where gaps exist.
  • Segment Freeway security testing from general application testing framework

Open Freeway Application Changes

  • Add auditing for all logins and attempts
  • Add logging for all financial transaction attempts and their resulting response codes together with IP address. Add customer ID where non-guest checkout used.
  • Add a salt to the admin user’s and customer’s passwords.
  • Add SHA-256 hashing to downloadable versions of Freeway and its patches.
  • Add creation of private keys in Freeway for all top level admin users as part of the user creation process.
  • Build triggered payment gateways.
  • Compartmentalise Freeway payment gateway processes

Documentation to Create

  • Freeway PA-DSS Implementation Guide
  • Describe how to install and configure Freeway to meet intent of PCI
  • Describe security features installer must provide for PCI compliance.
  • Matrix of dependencies of core elements Apache, PHP, MySQL and operating system.
  • Complete towards end of documentation
  • Development guide focused on development processes.
  • Includes secure design and coding steps
  • Includes security risk assessment of design changes and bug fixes
  • Include peer review processes
  • Include testing of security functionality in Freeway
  • SDLC
  • Include processes to ensure OWASP guidelines and risks are addressed. PA-DSS section 5
  • Specific information about inter-relationships between sections of Freeway. For example data input validation, routines and specifications between payment processes in Freeway.
  • QA processes including developer testing etc.
  • Gateways in process flows between stages of development. Migration planning.
  • Error handling in application; recovery, user notification, exception handling and logging.
  • Include OWASP references in doc or use OWASP doc as a base

Diagrams to create

  • Architectural plan
  • Include transaction flow from CMS to purchase processes
  • Typical implementation
  • Dependencies like PHPmyAdmin
  • Database schema
  • SDLC
  • Overview of iterative waterfall including key steps
Retrieved from "http://wiki.openfreeway.org/index.php/OpenFreeway_PA-DSS_Scoping"
Personal tools
Documentation