Achieving PCI Compliance

with Contrast Security

PCI DSS REQUIREMENTS FOR APPLICATION SECURITY

Meet PCI Compliance requirements head-on with the world's fastest suite for detecting and correcting software vulnerabilities. Contrast Security has been independently determined to automate key aspects of the PCI standards. This product applicability guide discusses sections of PCI DSS v3.2.1, PA- DSS v3.2, and PCI Software Security Framework v1.0.

 

coalfire-logo

 

pci-banner

"Contrast Assess and Contrast Protect may be used to replace some of the traditional approaches to assessing and protecting applications... The capabilities of Contrast Protect allows the software to be protected with greater fidelity than what is offered by traditional software security approaches (for example, Web Application Firewalls)."

CoalFire

Contrast Assess

Automated vulnerability detection through IAST, without specialist security expertise. Assess turns normal application usage into security tests to identify, track, and prioritize risk. An integral component in the PCI Secure Software Standard.

Contrast Protect

Automated defenses that operate and scale inside software to block otherwise successful attacks. Defend running software from attacks as part of your PCI DSS and PA DSS operations.

INDEPENDENT APPLICABILITY GUIDE

Contrast Security has been independently verified against PCI requirements.

Organizations looking to manage compliance against PCI standards can leverage Contrast Security products along with operational practices to manage PCI compliance with payment applications.

The product applicability guide was created by CoalFire, a respected Payment Card Industry (PCI) and Payment Application (PA) Qualified Security Assessor Company (QSAC).

6.1 - IDENTIFY SECURITY VULNERABILITIES

Contrast Assess helps organizations identify and prioritize vulnerabilities within their development lifecycles.

Contrast integrates powerful detection technology into applications at the right point, so that existing application tests become effective security tests. Compared to other methodologies, Contrast requires less time and expertise to identify more vulnerabilities with greater accuracy.

6.2 - DEFEND VULNERABILITIES

Contrast Protect provides immediate resolution to many vulnerabilities, along with virtual patches to defend previously unknown 0-day exploits.

The in-app advantage of Contrast Protect enables normal usage to proceed while blocking only legitimate exploits against vulnerable areas. Sensors placed inside the application replace signature-based detection with contextual verification that can differentiate between an attack probe and a vulnerable location.

Contrast Assess and Contrast Protect can provide continuous assessment and protection for applications. The integration of the Contrast Security platform sensors within the application allows the application to be continuously self-assessing and self- protecting. It is recommended that only Contrast Protect be enabled in the production runtime environment.

SECTION 6 EXTENDED

The accurate detection of Contrast's Runtime Application Self Protection (RASP) approach enables streamlined integration with defect-tracking tools like JIRA and evidence collection by QSAs as part of section 6.3.2b. Features such as Log Enhancement enable teams to collect information that is otherwise not available to a SIEM. No developer intervention or code change is required.

Contrast Assess understands the different types of databases, including NoSQL database like Couchbase, MongoDB, and so forth, and can detect their specific injection issues. Contrast Assess can identify these vulnerabilities with greater accuracy and thoroughness than Static Application Security Testing (SAST) tools.

2.4 - INVENTORY SCOPE

Maintain an inventory of system components that are in scope for PCI DSS. Contrast provides a Live View of applications, listing the architectural components and connections used by the application.

Organizations can combine the architectural view with other systems to determine full scope of assets that are applicable to PCI.

10.2 - THIRD PARTY COMPONENTS

The Secure Software Standard indicates that, "vulnerabilities in the software and third-party components are tested for and fixed prior to release." Instead of simply listing libraries and CVEs, Contrast Assess leverages runtime knowledge of software composition analysis to identify which libraries are actually loaded as part of the application.

EXTERNAL INTEGRATIONS AND MORE...

Full coverage of PCI compliance involves a range of controls, technology, and procedures. Contrast integrates into many external systems used by organizations as part of PCI compliance: JIRA, Slack, VictorOps, Visual Studio, and more.

A full Contrast Splunk application is available for dashboard integration. The improved accuracy of Contrast Assess and Protect enable a more robust environment to support incident investigation without the traditional false positives. Other SIEMs are supported for information-sharing.

MORE COVERAGE ON MORE PCI REQUIREMENTS

Read the full Contrast PCI Product Applicability Guide.
Download PDF
cta-background-image.png

DISCOVER HOW EASY IT IS TO SPOT AND STOP ATTACKS.

See what the new era of self-protecting software looks like. Schedule your live demo.
Get Demo