Key points from the Complete Application Security Guide for PCI-DSS

The growing popularity of online payment systems results from the transition to a cashless and contactless digital economy – an economy, projected in a recent Huawei white paper, to be worth $23 trillion by 2025. Digital commerce emerging as the largest segment of the project $8.49 billion global digital payments market in 2022, it is no surprise that enterprises are investing significant capital in integrating this functionality into their operating platforms.

Credit cards remain one of the main options among the many ways consumers can now shop online. WorldPay’s Global payment report revealed that 34% of global consumers use credit and debit cards to purchase items online. Credit cards were also the primary payment option for point-of-sale (POS) transactions. However, concerns about the security risks of this technology continue to grow. The COVID-19 pandemic has proven to be an aggravating factor, with the United States Federal Trade Commission (FTC) finding a 44% increase in credit card fraud reports between 2019 and 2020. In 2021, the FTC sued reported that it received consumer fraud reports totaling over $5.8 billion, a whopping 70% increase from the previous year. 390,000 of those reports were credit card fraud that led to identity theft.

Given the security risks faced by 2.8 billion credit cards Used around the world, protecting sensitive cardholder data has never been more critical. The good news is that companies can protect consumer data by hardening their payment processing software and platforms with standard security procedures and technologies that can prevent cardholder data breaches. The creation of these security procedures is central to the Payment Card Industry Data Security Standard (PCI-DSS), a comprehensive list of 12 important metrics against which businesses should measure their card payment policies and procedures. PCI-DSS guarantees compliance with its standard which will keep attackers away by prioritizing the defense of development and infrastructure systems.

PCI-DSS 4.0 is the latest version of the security standard, and here are some of its recommendations for businesses to protect cardholder information on the payment processing software they use.

1. Integrate security into the software lifecycle

Whether payment processing software is developed in-house or outsourced to a third party, prioritizing security at every stage of the software lifecycle is essential to ensure it is hardened against attacks. . While PCI SSC (PCI Security Standards Council) has a list of validated secure software and vendors, organizations can still acquire custom software. However, PCI-DSS Requirement 6.1.2 requires organizations that develop custom software to ensure that the software conforms to one of PCI SSC’s Secure Software or Secure SLC standards.

In Requirement 6.2.2, software developers responsible for building products that handle personally identifiable information (PII) must also be trained annually on secure software best practices to ensure they can detect , monitor and remediate potential attack vectors. This training will also include the use of automated security testing tools such as Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and other software composition analysis tools (SCA) during the assessment phase of the software life cycle. On average, organizations that fail to implement these mature security testing processes during their software lifecycle run a higher risk of exploitation.

2. Invest in ongoing vulnerability scanning and management

During software testing, it is normal to identify a few security vulnerabilities. After identification, the development team must then develop remediation plans. However, it is essential to note that the vulnerabilities do not only come from the application, but also from the framework on which it is running. Operating system vulnerabilities, for example, creating backdoors that allow attackers to access software applications and steal data crown jewels. For software applications intended for the public, companies can either conduct a review annually and after each major change, or deploy an automated solution running actively that would search for these threats in real time (6.4.1).

To combat such attacks, PCI best practices require organizations to meet regular vulnerability scanning requirements to assess the security posture of endpoints and network devices. For example, according to PCI-DSS 11.3.1.3 and 11.3.2.1, organizations must run internal and external vulnerability scans every three months and rescan after any significant changes.

After that, developing comprehensive vulnerability management processes is the next step. In accordance with PCI-DSS 6.3, organizations must identify and resolve security vulnerabilities by monitoring security alerts from industry-recognized sources such as Online Emergency Response Teams (CERTs). They should then catalog this information by assigning a risk ranking (eg, “high,” “medium,” or “low”) based on potential impact levels and industry best practices. Requirement 6.3.2 also states that companies must “maintain an inventory of bespoke and customized software to facilitate vulnerability and patch management.”

Once a vulnerability scan is complete and a framework has been created, the next step is to automate the process to ensure constant infrastructure assessment. In 2021, at least one vulnerability has been discovered in more than 25,000 software applications, with more being discovered daily. Attackers are also looking for new ways to exploit vulnerabilities. Therefore, companies need to invest in automating these processes to stay ahead of the opposition.

3. Implement a set of consistent change management processes

Whether a system component is removed, added, or changed, those changes must be consistently managed through a set of change management processes. Before making a change, it must go through a description procedure, the documentation of its impact on security and the approval of the parties concerned, tests and a failure contingency plan (PCI DSS 6.5.1 ). The same is true for bespoke and custom software, as modifications must comply with requirement 6.2.4 before deployment.

These processes, however, must be structured and consistent to not only ensure that organizations are not caught off guard, but also to ensure more robust and secure code during the development cycle. Additionally, per requirement 6.5.2, once the change is complete, organizations must validate their systems to ensure that they are still PCI-DSS compliant.

Until March 2025, these PCI requirements are considered “best practices” and entities will not be assessed for full compliance until then. However, for the next 18 months (and beyond), organizations will have access to both v3.2.1 and v4.0.

Conclusion

The overriding goal of meeting PCI-DSS requirements is not simply to tick the compliance boxes, but to create an unbeatable security framework that protects customer data and ensures business success. Business leaders must have a “now or never” approach to PCI-DSS compliance – not just because organizations that rank high on compliance lists attract more investment, but because of the security value actual compliance. The enterprise attack surface continues to expand and threat actors will not stop their attempts to exploit it. So it’s now or never. While organizations that make compliance a high priority will stay ahead of the curve, those that do otherwise will find their defenses crippled sooner rather than later.

For more information on PCI compliance areas for payment card software protection, you can access HelpSystems’ comprehensive guide. here.


About the Author: Kolawole Samuel Adebayo is a Harvard-educated tech entrepreneur, tech enthusiast, tech writer/journalist, and executive ghostwriter. He has over 10 years of experience covering various tech news stories, writing thought leadership blogs, reports, spec sheets and case studies. His areas of expertise include Cybersecurity, AI, ML, DevOps and Big Data for C-level executive audiences. He has written for several publications including VentureBeat, RSI Security, NWTechs, WATI Security, Draft .dev, Codecov, Teleport and many more. He is also an award-winning poet, with works published in several journals around the world.

Editor’s note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.