PCI Compliance for APIs

The Challenge: Securing Cardholder Data

The Payment Card Industry – Data Security Standard (PCI-DSS) is a set of security requirements and standards established by the likes of Visa, MasterCard and American Express (among others) for organizations that deal with credit card information.

While properly implementing all of the requirements laid out in the PCI-DSS standard for each of your APIs that handle cardholder data can indeed grant you PCI compliance status, as recent studies have shown compliance does not necessarily mean your cardholder data is protected. In fact, according to the Ponemon Institute’s “2011 PCI DSS Compliance Trends Study”, 81% of all PCI-compliant respondents to their survey indicated they had one or more data breach incidents involving cardholder data.

The Solution: Data Encryption/Tokenization

While all reasonable measures should be taken to protect cardholder data from being hacked, given the existing track record, the focus should be on making the data unusable should it fall into the hands of bad actors. The PCI-DSS standard approves of two approaches: encryption and/or tokenization.

Cardholder data passed over the wire can be protected at the transport level using industry-standard Secure Socket Layer (SSL) encryption. When cardholder data is persisted to disk on an individual system, it should be encrypted using the latest industry-standard PKI cryptography algorithms, or else tokenized (i.e. replacing key information, such as a PAN with a random alphanumeric value) using token server technology.

While all of these strategies can render cardholder data unusable by bad actors if intercepted at any point in the lifetime of a transaction message, they pose a number of implementation difficulties, including:

• Building encryption or tokenization support into APIs often requires additional coding or maintenance in order to properly support it
• Both SSL and message level encryption are computationally expensive, and will often require upgrades to hardware in order to realize satisfactory performance
• Implementing, securing and governing a PKI system that can store private keys, provision new keypairs, as well as manage users and their role-based access can be a complex undertaking
• Tokenization is a newer technology with evolving standards, so there’s no guarantee that what you implement today will be approved for PCI compliance tomorrow

The Layer 7 Value: Security & Compliance in a Single Device

Layer 7 Gateway appliances (including the Layer 7 API Proxy) can be deployed in a PCI-DSS compliant manner following the step-by-step configuration information in the Layer 7 Secure Implementation Guide (SIG).

Message-level (and audit record) encryption is provided by the built-in PKI engine, which features an integrated CA for automated deployment and management of client-side certificates and RA ability for external CAs. The onboard Thales nShield crypto card delivers FIPS 140-2 level SSL communications for all incoming and outgoing message traffic, ensuring encryption at both transport and message layers. Thales’ included Hardware Security Module (HSM) also provides secure, tamper-proof, off-disk key storage and key management. As a result, even if a breach of security occurs and data is removed from the Gateway, it will remain encrypted and secure.  Access to keys and encrypted audits is fully controlled via Layer 7’s integrated RBAC system.

The Gateway appliance also features extensive threat and intrusion protection, both at the transport and message level. The Gateway ships with a minimal-install, hardened operating system coupled with a strictly configured firewall, ensuring that only the ports required for message traffic are open.  Out-of-the-box threat protection assertions allow users to create policies that guard against SQL and LDAP injection, code injection, CSRF, and message structure attacks, as well as virus scanning and replay attacks. This ensures that Layer 7 Gateways are properly protecting the backend service from a variety of threats and malicious traffic.