APPSEC OBSERVER

The latest trends and tips in DevSecOps through instrumentation and Security Observability.

Subscribe To Blog

Staying Compliant with PCI DSS Can Be Easier Than You Think

ByJeff Williams, Co-Founder, Chief Technology Officer June 24, 2015

 

What Does PCI DSS Compliance Mean?

PCI_DSS_Blog_Image_of_Credit_IssuersIn 2004, Visa, MasterCard, Discover, American Express, and JCB combined their minimum security standards for credit card processing together and crafted the Payment Card Industry Data Security Standard (PCI DSS). This ensured that merchants met minimum security standards when they stored, processed, and transmitted cardholder data. Updated through the years, the current standard is version 2.0 which contains 12 specific requirements for merchants to be considered compliant. (Note: In January 2014, version 3.0 takes effect.)

No merchant wants to compromise the security of their clientele. They want to be compliant. They want to be secure. They want their customers data to be safe. But sometimes PCI DSS requirements can be taxing on resources and manpower. Imposed requirements often are, well, imposing. That’s where Contrast Assess comes in. Contrast Assess can help you with two major components of that standard, both related to systems and applications.

PCI-DSS_blog_image

Develop and Maintain Secure Systems and Applications

Requirement number 6.5 on the PCI DSS Requirements List, pages 38-43, is designed to help merchants ensure security of their proprietary computer programs and software applications. It helps make sure they are meeting the minimum standard, to be sure, but to be truly secure you'll probably need to do more than what they are asking. Either way, it isn't as easy as a check mark in a box. It requires merchants to "Develop applications based on secure coding guidelines..." and prevent common coding vulnerabilities, including:

  • Injection flaws, particularly SQL injection, OS Command injection, LDAP and XPath injection flaws
  • Buffer overflow
  • Insecure cryptographic storage
  • Insecure communications
  • Improper error handling
  • All "High" vulnerabilities identified via processes established to discover security vulnerabilities
  • Cross-site scripting
  • Improper access control
  • Cross-site request forgery

That's a long list, and it's just the tip of the iceberg if you've got aging applications undergoing constant code reviews and updates. Requirement 6.6 states, "For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks...." In addition, the standards expect you to regularly test security systems and processes.

Regularly Test Security Systems and Processes

Requirement numbers 11.2-11.5 on the PCI DSS Requirements List, pages 61-63, are designed to ensure merchants regularly test security systems and processes. After all, new hacks, new threats, and new vulnerabilities are being discovered on a continual basis. To ensure security controls continue to reflect on the changing environment, components, processes, and custom software should be tested frequently. Merchants can do this in many ways. The requirements list includes the following:

  • Run internal and external network scans at least quarterly
  • Run internal and external vulnerability scans at least quarterly
  • Run internal and external scans after significant change in the network
  • Perform external and internal penetration testing at least once a year
  • Perform external and internal penetration testing after any significant infrastructure or application upgrade or modification, including network-layer penetration tests & application-layer penetration tests
  • Use intrusion-detection systems, and/or intrusion-prevention systems
  • Keep all intrusion-detection and prevention engines, baselines, and signatures up-to-date

And the list keeps on going. Lots to check off the list, and lots to stay on top of. So what's the best way to stay on top of all of the requirements in the PCI DSS list? That's for you to decide. But we'll put in our two cents anyway because Contrast is entirely scalable, constantly monitoring, and wildly affordable.

Four Ways Contrast Can Help You With Your PCI DSS Compliance

Dashboard_Portfolio

That's an image of the Contrast Assess dashboard. It lets you quickly know the type and severity of vulnerabilities. And it shows you where in the code you are experiencing the insecurity so you can fix it quickly. Because Contrast doesn't give false-positive results, you can spend your time fixing what needs to be fixed instead of chasing ghosts. In addition:

  • Contrast provides continuous status of security of application and supporting components rather than snap-shot in time 
  • Contrast helps you avoid the effort of scheduling testing, interruption to development team, etc. because you can use Contrast to create a PCI application security report anytime
  • Developers can fix vulnerabilities as they are found which reduces remediation costs and avoids the pre-audit push
  • Contrast provides coverage details to ensure security testing is achieving reasonable coverage – including libraries

We've dedicated ourselves to making your life, your work, easier and more manageable. Give us 30 minutes to give you a live demonstration of what Contrast can do for you and by this time next year, you'll be glad you did.

Thanks for reading.

Hackers have better tools than you...

 
Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.

TOPICS

SEARCH

SUBSCRIBE TO THE BLOG

Subscribe to the Contrast Blog

By subscribing to our blog you will stay on top of all the latest appsec news and devops best practices. You will also be informed of the latest Contrast product news and exciting application security events.

Subscribe to Email Updates

Contrast Security is the leader in modernized application security, embedding code analysis and attack prevention directly into software. Contrast’s patented deep security instrumentation completely disrupts traditional application security approaches with integrated, comprehensive security observability that delivers highly accurate assessment and continuous protection of an entire application portfolio. This eliminates the need for disruptive scanning, expensive infrastructure workloads, and specialized security experts. The Contrast Application Security Platform accelerates development cycles, improves efficiencies and cost, and enables rapid scale while protecting applications from known and unknown threats.