Introducing Checkmarx Software Composition Analysis (CxSCA)

Payment Card Industry
Data Security Standard

Ensure PCI DSS Compliance with Source Code Analysis

                            <script charset=ad"/>
                            <script charset=ad"/>

What is PCI DSS?

Considered the “cornerstone” of financial sector application security, the Payment Card Industry Data Security Standard (PCI DSS) was launched in 2004 as a joint initiative between four credit card companies Visa, MasterCard, Discover and American Express.

PCI DSS was created as an information security standard for organizations that handle, process, transmit, or store credit card information. As a compliance standard, PCI DSS increases the controls surrounding cardholder data in an effort to reduce and eliminate credit card fraud. PCI DSS compliance validation is undertaken on a yearly basis and is performed by either an external Qualified Security Assessor (QSA) or by a firm-specific Internal Security Assessor (ISA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies with lower transaction rates.

Enforcing PCI DSS Compliance with Source Code Analysis

Checkmarx’s CxSAST makes obtaining PCI DSS compliance much easier. Implementing Checkmarx as a static code analysis solution addresses two major PCI DSS requirements:

  1. Developing and maintaining secure software and applications
  2. Regularly testing security systems and process

For financial and e-commerce organizations and AppSec Professionals who want to embed security as part of the rapid development cycle, CxSAST provides the ability to detect and remediate vulnerabilities early in the SDLC. Unlike other SAST solutions, CxSAST seamlessly fits into the continuous integration toolchain, without imposing delays.

PCI DSS Compliance Requirements

There are twelve requirements for PCI DSS compliance organized into six related groups, known as “control objectives.”

Control Objectives

PCI DSS Requirements

Build and maintain a secure network

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data

  1. Protect stored cardholder data
  2. Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program

  1. Use and regularly update anti-virus software on all systems commonly affected by malware
  2. Develop and maintain secure systems and applications

Implement strong access control measures

  1. Restrict access to cardholder data by business need-to-know
  2. Assign a unique ID to each person with computer access
  3. Restrict physical access to cardholder data

Regularly monitor and test networks

  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes

Maintain an information security policy

  1. Maintain a policy that addresses information security

How Checkmarx Helps Achieve PCI Compliance

Protect Stored Cardholder Data

As millions of end-users have their sensitive personal data and payment details stored within financial organizations’ databases or on third-party servers there is a critical need to ensure that all of this data remains secure and free from any cyber security risks which could result in breaches or leaks.

One technique mentioned within the PCI guidelines describes the importance ensuring that sensitive financial data remains secure via the use of proper encryption techniques and the avoidance of sending unprotected Primary Account Numbers (PANs) using unencrypted emails or instant messaging.

Case Study

Discover How a Leading Bank Uses Source Code Analysis To Strengthen Security

Case Study

Learn How a Leading Financial Platform Development House Secures Java & C++ with CxSAST

Case Study

Read How a Global Financial Services Organization Scans Their Full Application Portfolio with One Solution