X
June 24, 2015
In 2004, Visa, MasterCard, Discover, American Express, and JCB combined their minimum security standards for credit card processing together and crafted the Payment Card Industry Data Security Standard (PCI DSS). This ensured that merchants met minimum security standards when they stored, processed, and transmitted cardholder data. Updated through the years, the current standard is version 2.0 which contains 12 specific requirements for merchants to be considered compliant. (Note: In January 2014, version 3.0 takes effect.)
No merchant wants to compromise the security of their clientele. They want to be compliant. They want to be secure. They want their customers data to be safe. But sometimes PCI DSS requirements can be taxing on resources and manpower. Imposed requirements often are, well, imposing. That’s where Contrast Assess comes in. Contrast Assess can help you with two major components of that standard, both related to systems and applications.
Requirement number 6.5 on the PCI DSS Requirements List, pages 38-43, is designed to help merchants ensure security of their proprietary computer programs and software applications. It helps make sure they are meeting the minimum standard, to be sure, but to be truly secure you'll probably need to do more than what they are asking. Either way, it isn't as easy as a check mark in a box. It requires merchants to "Develop applications based on secure coding guidelines..." and prevent common coding vulnerabilities, including:
That's a long list, and it's just the tip of the iceberg if you've got aging applications undergoing constant code reviews and updates. Requirement 6.6 states, "For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks...." In addition, the standards expect you to regularly test security systems and processes.
Requirement numbers 11.2-11.5 on the PCI DSS Requirements List, pages 61-63, are designed to ensure merchants regularly test security systems and processes. After all, new hacks, new threats, and new vulnerabilities are being discovered on a continual basis. To ensure security controls continue to reflect on the changing environment, components, processes, and custom software should be tested frequently. Merchants can do this in many ways. The requirements list includes the following:
And the list keeps on going. Lots to check off the list, and lots to stay on top of. So what's the best way to stay on top of all of the requirements in the PCI DSS list? That's for you to decide. But we'll put in our two cents anyway because Contrast is entirely scalable, constantly monitoring, and wildly affordable.
That's an image of the Contrast Assess dashboard. It lets you quickly know the type and severity of vulnerabilities. And it shows you where in the code you are experiencing the insecurity so you can fix it quickly. Because Contrast doesn't give false-positive results, you can spend your time fixing what needs to be fixed instead of chasing ghosts. In addition:
We've dedicated ourselves to making your life, your work, easier and more manageable. Give us 30 minutes to give you a live demonstration of what Contrast can do for you and by this time next year, you'll be glad you did.
Thanks for reading.
.jpg)
Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.
