Considered the “cornerstone” of financial sector application security, the Payment Card Industry Data Security Standard (PCI DSS) was launched in 2004 as a joint initiative between four credit card companies Visa, MasterCard, Discover and American Express.
PCI DSS was created as an information security standard for organizations that handle, process, transmit, or store credit card information. As a compliance standard, PCI DSS increases the controls surrounding cardholder data in an effort to reduce and eliminate credit card fraud. PCI DSS compliance validation is undertaken on a yearly basis and is performed by either an external Qualified Security Assessor (QSA) or by a firm-specific Internal Security Assessor (ISA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies with lower transaction rates.
Checkmarx’s CxSAST makes obtaining PCI DSS compliance much easier. Implementing Checkmarx as a static code analysis solution addresses two major PCI DSS requirements:
1. Developing and maintaining secure software and applications
2. Regularly testing security systems and process
For financial and e-commerce organizations and AppSec Professionals who want to embed security as part of the rapid development cycle, CxSAST provides the ability to detect and remediate vulnerabilities early in the SDLC. Unlike other SAST solutions, CxSAST seamlessly fits into the continuous integration toolchain, without imposing delays.
There are twelve requirements for PCI DSS compliance organized into six related groups, known as “control objectives.”
Build and maintain a secure network
1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
5. Use and regularly update anti-virus software on all systems commonly affected by malware6. Develop and maintain secure systems and applications
Implement strong access control measures
7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data
Regularly monitor and test networks
10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes
Maintain an information security policy
12. Maintain a policy that addresses information security
Protect Stored Cardholder Data
As millions of end-users have their sensitive personal data and payment details stored within financial organizations’ databases or on third-party servers there is a critical need to ensure that all of this data remains secure and free from any cyber security risks which could result in breaches or leaks.
One technique mentioned within the PCI guidelines describes the importance ensuring that sensitive financial data remains secure via the use of proper encryption techniques and the avoidance of sending unprotected Primary Account Numbers (PANs) using unencrypted emails or instant messaging.
As cybercrime continues to rise month after month, financial software developers and vendors find themselves struggling to keep up with the increased sophistication of hacks. Organizations in the e-commerce and financial verticals need to stay on top of any security patches and be sure to apply any new patches as soon they are released. Once security patches are applied, it’s critical to immediately begin QA testing to ensure that no conflicts arise between existing security configurations and the latest patches.
PCI DSS mentions Penetration (Pen) testing in their materials, however, pen testing is often unable to keep up with the demands of continuous integration development environments which depend on rapid development cycles. Techniques such as static application security testing (SAST) are ideal for environments such as this and are able to secure the applications being used for financial transactions and data storage at the earliest stages of the software development lifecycle (SDLC) making detection and remediation easier and much more efficient in terms of the resources required to fix issues.
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.