PCI DSS compliance can help you protect sensitive data and prevent data breaches. Step 1: Identify sensitive data and track how your applications handle it.
This past weekend, as I was catching up on my reading, an older article caught my attention. It talked about how credit card numbers remain one of the top 10 types of stolen data traded on the dark web. It’s mind-boggling to learn how much you can earn from these stolen credit card numbers. Prices range from $5 to $110, with CVV data adding $5 and full bank info $15. A full package with name, social security number, birth date, and other personal data can cost another $30!
The tremendous value of this information, coupled with improper handling of sensitive data, is one reason for the high frequency of data breaches. Data breaches are a pervasive problem that affects multiple industries and organizations that handle or store personal information.
The number of data breaches has been climbing steadily, to nearly 11.6 billion records with sensitive info breached to date. We have seen an increase in the number of breached records of over 5% in just the last eight months alone.
PCI DSS compliance is a journey, not a destination
Authorities have introduced various compliance standards to help businesses establish security governance and frameworks around consumer data privacy and protection. The Payment Card Industry Data Security Standard is one. PCI DSS helps protect cardholder data by reducing software security vulnerabilities that attackers can exploit.
PCI DSS has been in effect for over a decade, and most merchants are achieving PCI DSS compliance. Even so, we still see some of the world’s largest financial and retail institutions hit by data breaches. From the Home Depot data breach, which compromised 56 million credit cards, to the TJX data breach of 46 million credit card numbers, company after company has made headlines in recent years. Even government agencies have not been spared. In 2015, hackers attacked services of the Office of Personnel Management and stole the personnel files of 4.2 million former and current government employees.
These organizations could have avoided breaches if they had been in continuous compliance with standards such as OWASP Top 10 and PCI DSS. In the case of TJX, investigators found that the company had failed to comply with nine out of the 12 PCI DSS compliance requirements.
Why do data breaches happen?
Data breaches happen for multiple reasons, including these:
- Organizations addressing PCI DSS compliance only during the annual audit cycle, when an audit or assessment is approaching
- A lack of proper network segmentation of sensitive cardholder data (as was the case with the TJX breach)
- Improper storage of sensitive data
- Inadequate authentication to protect and swap out personal user data (as was the case with the OPM fingerprint breach)
- A lack of point-to-point encryption to protect card numbers from the first point-of-sale (POS) card transaction swipe all the way to the payment processor on the back end
Proper management of sensitive data, along with continuous audit and compliance, keeps data breaches at bay.
Sensitive-data exposure and the need for better security testing
With the plethora of web, mobile, and cloud-based applications in use today, the risk of exposing sensitive user data is very high. Not all applications are secure. In fact, many web applications do not properly protect sensitive data such as user passwords, account and credit card info, files, and personal biometric images. Hackers can easily steal this weakly protected or unprotected data and use it in credit card fraud, identity theft, and other cyber crimes. One purpose of PCI DSS compliance is to strengthen data protection.
Breaches still occur in many web applications, and application teams still fall prey to this type of security exploitation. A common oversight is failing to track where and how sensitive data is stored. Another frequent mistake is storing sensitive authentication data after authorization. Hackers can take advantage of inadequate security to capture unencrypted data wherever it’s stored, transmitted, or processed.
Thus, to protect your business’s most critical and sensitive data, you must know what type of data access will have a material impact on the organization and what tools, mechanisms, and controls you have in place.
How to meet PCI DSS compliance requirements
The Synopsys Seeker® solution is an interactive application security testing (IAST) tool that addresses PCI DSS compliance requirements for secure systems and applications. It meets your business’s need to better handle and manage critical, sensitive data. Its instrumentation technology continuously monitors, detects, and reports on critical vulnerabilities in real time.
There’s no need for additional security scanning or any human or process intervention, because our IAST solution can automatically notify security and development teams of detected vulnerabilities for triage and remediation. Common security issues include these:
- Injection vulnerabilities (e.g., SQL injection, cross-site scripting, remote code execution)
- Insecure communication
- Broken authentication or authorization
- Cross-site request forgery
- Weak encryption
- Improper access controls
- Error handling
Only security tool with detailed sensitive-data tracking and handling
Your applications handle certain data that is sensitive and critical to your business. This type of data includes user passwords, bank information, card numbers, and more. The Seeker tool’s sensitive-data tracking feature automatically identifies potentially sensitive data. Built-in security checkers detect when an application mishandles that data, including instances where the application:
- Leaks the data in a log file.
- Saves the data without encryption.
- Sends the data in a URL.
- Saves the data in the browser cache.
- Uses an insecure authentication mechanism, weak password policy, or unsecure database connection.
In addition to the tool’s automatic sensitive-data tracking, users can quickly tag any data as sensitive, based on the business use cases the application supports. In either case, the Seeker solution will immediately notify users when it detects that an application is incorrectly handling data tagged as sensitive.
Another unique Seeker capability is its patented active verification engine. This verification engine instantly replays and retests any sensitive-data vulnerabilities it identifies to validate whether they are real and exploitable. This process provides an additional layer of assurance and confidence to security and development teams. As a result, they can prioritize and focus on the validated, critical vulnerabilities that matter most to their business.
Our Seeker solution has many more cutting-edge capabilities not found in traditional dynamic application security (DAST) tools. To learn how others have used Seeker IAST to meet PCI DSS compliance requirements and secure mission-critical and sensitive data, read our Parkeon case study.
Unless we recognize the problem and fix it at its root, we will continue to see data breaches making their way into the daily headlines—and executives heading into the boardroom for questioning.
*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Kimm Yeo. Read the original post at: https://www.synopsys.com/blogs/software-security/pci-dss-compliance/