Secure Coding for PCI Compliance

When considering secure coding for payment card industry compliance, code must adhere to the PCI DSS requirement. PCI DSS stands for Payment Card Industry Data Security Standard.

This adherence means building security into the development process. Compliance is dependent upon coders being properly trained to ensure that any card payment transactions are not occurring in an insecure environment.

Requirement 6 of PCI DSS relates to applications that store, process or transmit cardholder data. Further, it remands that all external and internal applications must follow the Payment Application Data Security Standard (PA-DSS) This requirement is the responsibility of all developers working on code related to cardholder data.

Objectives: Requirement 6 (PCI DSS)

6.1

Establish a process to identify security vulnerabilities by using reputable outside sources for security vulnerability information and then assigning a risk ranking such as high, medium or low to newly-discovered security vulnerabilities

To comply with 6.1, consider:

  • Documenting your list of software assets used to develop applications, explaining each function the asset provides and keeping it updated
  • Creating a system that monitors every item for vulnerabilities continuously; this system should be a reliable source

6.2

Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.

Once you have identified vulnerabilities per requirement 6.1, they need to be rectified with a patch. Anything is high-level should be patched first. You should also keep a patching audit log.

6.3

Develop secure software applications for internal and external applications, including Web-based administrative access in accordance with PCI DSS, industry best standards and with information security integrated. You can develop secure software applications by:

  • Requirement gathering: Determine the functional and technical specification requirements from the previous phase
  • Design: All design (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Beth Osborne. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/M06qQpszyIA/