c# - WebBrowser and PCI DSS -
in case point-of-sale card reader stops working, backup card entry method required card-processing vendor. processor's suggested method application hosts webbrowser control vendor's own site in credit card info entered @ checkout, , watch url change know when transaction complete , receive verification token.
this struck me potential pci minefield:
- the keypresses going same process rest of point-of-sale application , webbrowser provides in-process dom hooks
- i'm not sure means https certificate validation in case of mitm separate machine
- there other things don't know important. (deprecated protocols , algorithms?)
to sure, standalone web browser have of these same issues @ least wouldn't responsibility of application codebase. wouldn't want pci audit have problems unrelated in codebase because shares codebase payment entry.
am overthinking since it's backup method used if card reader down? standard way of handling this?
if being audited, auditor following basic things:
how embedded browser updated manufacturer? how receive updates? receive/deploy automatic updates? or, have redeploy application whenever critical security flaw discovered/patched? how manage these updates? if updates automatic, how qa them after they're in prod? if have redeploy application, how roll out users? how users update insecure versions secure versions? how pushed? have set of processes manage between updating users never have clue they're going open , updating running extremely vulnerable software?
in practice (particularly if you're subject post-breach audit), embedded browser updated protect against patched security threats?
does embedded browser protect against browser based threats drive downloads? anti-virus solution still work embedded browser? sure? how have tested that?
if were, say, running virtual terminal inside of browser, you'd want able answer same questions, regular browser. so, using embedded browser doesn't change letter of pci-dss. however, security processes around embedded browser different.
for things mitm attacks, i'm not entirely sure understand question. embedded browser vulnerable regular browser mitm, though regular browsers have more enhanced protection against man in middle attacks. example, if embedded browser updated version of google chrome, i'd feel heck of lot more secure if embedded browser version of ie 6 hasn't seen update decade.
the important thing remember if cardholder data environment (cde) within secure network receives regular vulnerability scans (and if have good, written process governing how perform vulnerability scans), should fine in event of breach. kicker though need document both process , how follow process.
say, example, process to:
a.) have expert on team vulnerability scan every second friday. b.) hire outside firm full vulnerability scan once per quarter.
you'd need have records of:
a.) expert? how trained? qualified vulnerability scans? if finds vulnerability how escalated? dates did perform scans? have print-outs of results? fill out form findings? have of forms? can see results of vulnerability scan performed on december 18, 2015?
b.) when have professional scans done, performs them? how vet firm qualified? how vet person did them qualified? happens if find vulnerabilities? happens if find vulnerabilities in-house expert doesn't find? can see last report? can see report 3 quarters ago?
Comments
Post a Comment