API Security Requirements for PCI Secure Software Standard

With the increasing number of attacks on APIs, the PCI Security Standards Council (PCI SSC) is acting. In addition to the PCI DSS requirements and to assist businesses and help ensure their software, including APIs are not exploited, the PCI SSC publishes a PCI Secure Software Standard with supporting program documentation.

When it comes to financial transactions that involve credit or debit cards, security is a top concern. Yet at the same time, consumers and businesses expect a smooth and engaging application experience when doing these transactions. To achieve that experience, application programming interfaces (APIs) have become the currency of exchange in today’s digital business reality. APIs are the glue that make mobile and web applications work. And their use is exploding.

However, APIs, which by their nature are highly visible and well-defined doorways into the data and business processes of organizations, are now the number one attack surface exploited by cyber criminals and hackers. And that can make the payment card experience a potential doorway to theft, fraud, and business disruption. Recent data breaches are causing payment card industry groups to increase their attention on API security.

PCI Security Standards Council

The PCI Security Standards Council (PCI SSC) is made up of payments industry stakeholders, including American Express, Discover, JCB International, MasterCard and Visa Inc. that develop and drive adoption of data security standards and resources for safe payments worldwide.


The standards are referred to as the Payment Card Industry Data Security Standard (PCI DSS). This standard is designed to prevent fraud through increased control of credit card data. While the PCI SSC has no legal authority to compel compliance, the PCI DSS is a requirement for any business that processes credit or debit card transactions. PCI certification is also considered the best way to safeguard sensitive data and information, thereby helping businesses build long lasting and trusting relationships with their customers.

PCI Secure Software Standard

Unlike the PCI DSS requirement, the PCI Secure Software Standard sets out requirements so that payment software is designed, developed, and maintained in a manner that protects transactions and data, minimizes vulnerabilities, and defends against attacks.

The latest version of the PCI Secure Software Standard has additions to the Web Software Module and specifically includes these API-specific requirements:

  • Documenting and tracking the use of open-source and third-party software components and APIs in payment software.
  • Controlling access to payment software web APIs and other critical assets.

These two additions are important because they help to amplify the importance of several API vulnerabilities, where attackers are actively mixing and matching Open Web Application Security Project (OWASP) API security categorized threats to bypass common security controls. These threats include Broken User Authentication (API2), Excessive Data Exposure (API3) and Improper Assets Management (API9) that attackers are exploiting to achieve their end goal.

PCI Compliance Jeopardized by Unknown or Shadow APIs

However even with security control requirements, the challenge with APIs is that today’s security teams simply lack the visibility and defense capabilities they need to reduce their ever-growing risk profile from APIs and other application connections. First, they need to ensure APIs are error, misconfiguration, and vulnerability free. Second, they need to protect those APIs that are perfectly coded. But when it comes to API visibility, protecting APIs, and attempting to comply with API security-related requirements, the job is harder because there are so many unknown or shadow APIs. In fact, a recent report found that approximately 5 billion (31%) malicious transactions targeted shadow APIs.

Comprehensive API Protection for PCI DSS Compliance

To help meet the PCI Secure Software Standard requirements and combat the ever-present risk evident with APIs requires a unified and fully integrated approach that works across the entire API protection lifecycle, protecting all APIs, across all API implementations, channels, and infrastructure environments, and all user groups and business use cases.

The approach must discover and create a complete runtime inventory of all managed and unmanaged APIs and provide comprehensive API protection including not just complete discovery and runtime inventory, but compliance monitoring and remediation, threat detection, and inline, robust threat prevention.


The Cequence Unified API Protection solution is the only offering that addresses all phases of the API protection lifecycle to defend your APIs from attackers and eliminate unknown and unmitigated API security risks that can lead to data loss, fraud, and business disruption.

Security teams deploying the Cequence Unified API Protection solution eliminate unknown, unprotected, and unmitigated API risk. They achieve continuous protection of their complete API risk surface, enabling their organizations to reap the competitive and business advantages of ubiquitous API connectivity securely and compliantly.

Ensure Security Controls are Met

Security controls play an important role in protecting and safeguarding the data held by an organization, reducing the risk of data breach or loss, and enforcing policies and best practices. But you can’t protect what you can’t see, and even then, perfectly coded and configured APIs can still be exploited. The good news is that Cequence Security is here to help.

Get Started Today with the Cequence Unified API Protection solution

Get a Free Security Assessment of your API attack surface

The post API Security Requirements for PCI Secure Software Standard appeared first on Cequence Security.

*** This is a Security Bloggers Network syndicated blog from Cequence Security authored by Tony Bailey. Read the original post at: