Introducing Checkmarx Software Composition Analysis (CxSCA)
Considered the “cornerstone” of financial sector application security, the Payment Card Industry Data Security Standard (PCI DSS) was launched in 2004 as a joint initiative between four credit card companies Visa, MasterCard, Discover and American Express.
PCI DSS was created as an information security standard for organizations that handle, process, transmit, or store credit card information. As a compliance standard, PCI DSS increases the controls surrounding cardholder data in an effort to reduce and eliminate credit card fraud. PCI DSS compliance validation is undertaken on a yearly basis and is performed by either an external Qualified Security Assessor (QSA) or by a firm-specific Internal Security Assessor (ISA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies with lower transaction rates.
Checkmarx’s CxSAST makes obtaining PCI DSS compliance much easier. Implementing Checkmarx as a static code analysis solution addresses two major PCI DSS requirements:
For financial and e-commerce organizations and AppSec Professionals who want to embed security as part of the rapid development cycle, CxSAST provides the ability to detect and remediate vulnerabilities early in the SDLC. Unlike other SAST solutions, CxSAST seamlessly fits into the continuous integration toolchain, without imposing delays.
There are twelve requirements for PCI DSS compliance organized into six related groups, known as “control objectives.”
Build and maintain a secure network
Protect cardholder data
Maintain a vulnerability management program
Implement strong access control measures
Regularly monitor and test networks
Maintain an information security policy
As millions of end-users have their sensitive personal data and payment details stored within financial organizations’ databases or on third-party servers there is a critical need to ensure that all of this data remains secure and free from any cyber security risks which could result in breaches or leaks.
One technique mentioned within the PCI guidelines describes the importance ensuring that sensitive financial data remains secure via the use of proper encryption techniques and the avoidance of sending unprotected Primary Account Numbers (PANs) using unencrypted emails or instant messaging.