Payment Card Industry
Data Security Standard (PCI DSS)

What is PCI DSS?

Considered the “cornerstone” of financial sector application security, the Payment Card Industry Data Security Standard (PCI DSS) was launched in 2004 as a joint initiative between four credit card companies Visa, MasterCard, Discover and American Express.

PCI DSS was created as an information security standard for organizations that handle, process, transmit, or store credit card information. As a compliance standard, PCI DSS increases the controls surrounding cardholder data in an effort to reduce and eliminate credit card fraud. PCI DSS compliance validation is undertaken on a yearly basis and is performed by either an external Qualified Security Assessor (QSA) or by a firm-specific Internal Security Assessor (ISA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies with lower transaction rates.

>What is <span>PCI DSS?</span>

Enforcing PCI DSS Compliance with Source Code Analysis

Checkmarx’s CxSAST makes obtaining PCI DSS compliance much easier. Implementing Checkmarx as a static code analysis solution addresses two major PCI DSS requirements:  

1. Developing and maintaining secure software and applications

2. Regularly testing security systems and process 

For financial and e-commerce organizations and AppSec Professionals who want to embed security as part of the rapid development cycle, CxSAST provides the ability to detect and remediate vulnerabilities early in the SDLC. Unlike other SAST solutions, CxSAST seamlessly fits into the continuous integration toolchain, without imposing delays.


>Enforcing PCI DSS Compliance with <span>Source Code Analysis</span>

PCI DSS Compliance Requirements

There are twelve requirements for PCI DSS compliance organized into six related groups, known as “control objectives.”

Control objectives

PCI DSS requirements

Build and maintain a secure network

1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data

3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program

5. Use and regularly update anti-virus software on all systems commonly affected by malware6. Develop and maintain secure systems and applications

Implement strong access control measures

7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

Regularly monitor and test networks

10. Track and monitor all access to network resources   and cardholder data11. Regularly test security systems and processes

Maintain an information security policy

12. Maintain a policy that addresses information security

How Checkmarx helps achieving PCI compliance

Protect Stored Cardholder Data

As millions of end-users have their sensitive personal data and payment details stored within financial organizations’ databases or on third-party servers there is a critical need to ensure that all of this data remains secure and free from any cyber security risks which could result in breaches or leaks.


One technique mentioned within the PCI guidelines describes the  importance ensuring that sensitive financial data remains secure via the use of proper encryption techniques and the avoidance of sending unprotected Primary Account Numbers (PANs) using unencrypted emails or instant messaging.

>How Checkmarx helps achieving <span>PCI compliance</span>

Develop and maintain secure systems and applications

As cybercrime continues to rise month after month, financial software developers and vendors find themselves struggling to keep up with the increased sophistication of hacks. Organizations in the e-commerce and financial verticals need to stay on top of any security patches and be sure to apply any new patches as soon they are released. Once security patches are applied, it’s critical to immediately begin QA testing to ensure that no conflicts arise between existing security configurations and the latest patches.

>Develop and maintain secure systems <span>and applications</span>

Implement a methodology for application layer app testing

PCI DSS mentions Penetration (Pen) testing in their materials, however, pen testing is often unable to keep up with the demands of continuous integration development environments which depend on rapid development cycles. Techniques such as static application security testing (SAST) are ideal for environments such as this and are able to secure the applications being used for financial transactions and data storage at the earliest stages of the software development lifecycle (SDLC) making detection and remediation easier and much more efficient in terms of the resources required to fix issues.

>Implement a methodology for application layer <span>app testing</span>

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.