Secure coding for PCI compliance
When considering secure coding for payment card industry compliance, code must adhere to the PCI DSS requirement. PCI DSS stands for Payment Card Industry Data Security Standard.
This adherence means building security into the development process. Compliance is dependent upon coders being properly trained to ensure that any card payment transactions are not occurring in an insecure environment.
Learn Secure Coding
Requirement 6 of PCI DSS relates to applications that store, process or transmit cardholder data. Further, it remands that all external and internal applications must follow the Payment Application Data Security Standard (PA-DSS) This requirement is the responsibility of all developers working on code related to cardholder data.
Objectives: Requirement 6 (PCI DSS)
6.1
Establish a process to identify security vulnerabilities by using reputable outside sources for security vulnerability information and then assigning a risk ranking such as high, medium or low to newly-discovered security vulnerabilities
To comply with 6.1, consider:
- Documenting your list of software assets used to develop applications, explaining each function the asset provides and keeping it updated
- Creating a system that monitors every item for vulnerabilities continuously; this system should be a reliable source
6.2
Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.
Once you have identified vulnerabilities per requirement 6.1, they need to be rectified with a patch. Anything is high-level should be patched first. You should also keep a patching audit log.
6.3
Develop secure software applications for internal and external applications, including Web-based administrative access in accordance with PCI DSS, industry best standards and with information security integrated. You can develop secure software applications by:
- Requirement gathering: Determine the functional and technical specification requirements from the previous phase
- Design: All design protocols should be in harmony with the requirement specifications
- Development: Coders must develop secure code and undergo regular training
- Testing: Complete the process with a test to assess specifications, design, and security functions
6.3.1
Remove development and test accounts, user IDs and passwords before release.
Design a process to comply with this requirement that verifies the removal of these elements. Document the process and include an audit record.
6.3.2
Review custom code prior to release to identify any coding vulnerabilities.
This process should be implemented by coders that are familiar with PCI DSS. The reviewers should verify the documentation of processes per 6.3.1. Comprehensive documentation of the code review process should occur and be approved before final release.
6.4
Examine policies and procedures to verify that the following are defined:
- Development/test environments should be separate from production environments with access control in place to enforce separation
- Enable a separation of duties between personnel that are developing and those in the production
- Do not use live PANS for testing
- Remove all test data and accounts before a production system becomes active
- Change control procedures related to establishing security patches and software modifications must be documented
PCI DSS decrees that test or development areas are never secure enough for holding cardholder data. Thus, the need for separation. You can keep them separately more easily with network segmentation.
6.5
Address common coding vulnerabilities in software development processes as follows:
- Train developers in secure coding techniques, including avoiding common coding vulnerabilities and understanding how sensitive data is handled in memory
- Create applications based on common coding guidelines
With this requirement, PCI DSS requests training of coders for best practices. Before giving a coder clearance to work on PCI-related code, it is recommended they receive specific training.
6.6
For public-facing Web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
- Review public-facing Web applications via manual or automated application vulnerability security assessment tools or methods annually and after any changes are made
- Install an automated technical solution that detects and prevents Web-based attacks in front of public-facing Web applications, to continually check all traffic
You can meet this requirement with a Web application vulnerability scanning tool or Web application firewall. Many organizations apply both.
6.7
Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use and known to all affected parties.
The documentation required in previous requirements should be properly managed and available to any applicable parties. Conduct at least an annual review of this documentation so that it stays up-to-date.
Common PCI DSS challenges
While each part of requirement 6 is clear, that doesn’t mean that mistakes aren’t made in coding for PCI compliance. Here are some of the most common challenges organizations face:
- Not treating PCI DSS as a separate project: Organizations often try to fit in the compliance measures to existing projects, but this needs its own project roadmap
- Applying requirements universally across the entire infrastructure: Stricter controls might be needed in some areas, whereas less-stringent ones might be appropriate in others
- Not exercising full control over the movement and usage of credit card data: Some organizations allow other departments or third parties access to this, which means the requirements must be met within those groups as well
- Storing cardholder data when it’s not necessary: Only do so when it is essential
- Addressing PCI compliance only during an annual validation: Sustaining your PCI compliance should be a daily effort
- Not implementing continuous training for coders to ensure they are up-to-date on all known threats: Annual training at the least should be achieved
- Not documenting processes or documenting them in a non-granular manner: There should be no room for interpretation in this documentation. Rather, it should be very clear for each step
PCI DSS compliance best practices for coders
With all these requirements that must be met, it can seem daunting. However, following the best practices instituted in Requirement 6 and beyond will do more to keep cardholder data safe. You should keep in mind that meeting PCI compliance doesn’t mean that your infrastructure is immune to breaches. It simply reflects you are meeting the minimum standard. So it’s important to go outside that minimum and set up additional ways to keep data secure.
Other best practices you should consider include:
Learn Secure Coding
- Identifying and maintaining goals in relation to PCI coding compliance: It’s not just about obtaining compliance reports, it’s a proactive goal to secure cardholder data
- Establish long-term processes and governance related to PCI: This isn’t something you just set and walk away from. Rather, it must be a core objective of any organization
- Focus on risk and security: Compliance is a byproduct of identifying risk and mitigating it with securing actions
- Never stop auditing and scanning
- Define ownership of PCI compliance
- Segment your data: Create a cardholder environment separate from other company data
- Control access to cardholder data with role-based access controls
- Use encryption protocols beyond SSL/TLS
- Conduct regular risk assessments
One last thought: Maintaining and going beyond PCI DSS compliance
First, you have to reach the compliance state then you can enrich your activities further by implementing best practices and improving your PCI compliance program to exceed the requirements. One of the most important parts of compliance and managing risk is that the coder stay well-educated and trained on security awareness topics.
Learn Secure Coding
Get hands-on experience with common coding mistakes, how they can be exploited and possible mitigations. Learn secure coding in:- Android and iOS
- C/C++, Java, .NET and PHP
- And more
In this Series
- Secure coding for PCI compliance
- Enhancing code security: Tools and techniques for safeguarding your code
- DevSecOps Tools of the trade
- Software dependencies: The silent killer behind the world's biggest attacks
- Software composition analysis and how it can protect your supply chain
- Only 20% of new developers receive secure coding training, says report
- Introduction to Secure Software Development Life Cycle
- How to control the flow of a program in x86 assembly
- Mitigating MFA bypass attacks: 5 tips for developers
- How to diagnose and locate segmentation faults in x86 assembly
- How to use the ObjDump tool with x86
- Debugging your first x86 program
- How to build a program and execute an application entirely built in x86 assembly
- Overview of common x86 instructions
- x86 basics: Data representation, memory and information storage
- What is x86 assembly?
- Introduction to x86 assembly and syntax
- Introduction to variables
- How to mitigate Race Conditions vulnerabilities
- How to avoid Cryptography errors
- Cryptography errors Exploitation Case Study
- How to exploit Cryptography errors in applications
- How to exploit race conditions
- Email-based attacks with Python: Phishing, email bombing and more
- Attacking Web Applications With Python: Recommended Tools
- Attacking Web Applications With Python: Exploiting Web Forms and Requests
- Attacking Web Applications With Python: Web Scraper Python
- Python for Network Penetration Testing: Best Practices and Evasion Techniques
- Python for network penetration testing: Hacking Windows domain controllers with impacket Python tools
- Python Language Basics: Variables, Lists, Loops, Functions and Conditionals
- How to Mitigate Poor HTTP Usage Vulnerabilities
- How to Exploit Poor HTTP Usage
- Introduction to HTTP (What Makes HTTP Vulnerabilities Possible)
- How to Mitigate Integer Overflow and Underflow Vulnerabilities
- How to exploit integer overflow and underflow
- Introduction to Parallel Processing
- What are Race Conditions?
- How Are Credentials Used In Applications?
- How To Exploit Least Privilege Vulnerabilities
- XSS Vulnerabilities Exploitation Case Study
- What is is integer overflow and underflow?
- SQL Injection Vulnerabilities Exploitation Case Study
- How to exploit improper error handling
- Improper Error Handling Exploitation Case Study
- Why Improper Error Handling Happens
- How to exploit CSRF Vulnerabilities
- How to mitigate CSRF Vulnerabilities
- What Causes Command Injection Vulnerabilities? (How are Data and Code Handled in Execution Environments)
- Command Injection Vulnerabilities
- Command Injection Vulnerabilities Exploitation Case Study
- How to mitigate Command Injection Vulnerabilities
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Secure coding