In Depth

PCI Application Security: Who's Guarding the Data Bank?

Ben Rothke and David Mundhenk offer compliance strategies for PCI's new application security requirements

By Ben Rothke and David Mundhenk

Application Security Action Items
Some business and IT leaders may be just starting to consider the security implications of their banking or commerce applications. There may be lingering uncertainty on what to do first. The following 5 steps are a great first start:

1. Update POS Applications. Visa maintains a list of Payment Application Best Practices compliant POS applications. Ensure that you are running a compliant version of POS.
2. Identify Poorly Coded Web Apps. Perform a code review for known coding flaws. Then follow-up with a vulnerability scan and an application-layer penetration test to ensure application code is PCI complaint and secure.
3. Perform Quarterly Vulnerability Scans. As detailed in DSS section 11.2, run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
4. Perform Annual Penetration Testing. Both internal and external (public facing) applications that process "sensitive" data should be penetration tested at least annually and whenever they undergo significant revision.
5. Create Formal SDLC Processes. Microsoft understood this via Trustworthy Computing. Make sure you formalize a Software Development Life Cycle that incorporates security analysis throughout that life cycle.

Note that these five steps will keep your development teams busy for a while. And make sure you have a good project manager to keep all of the tasks and teams in sync.

Visa PABP Replaced With PCI PA-DSS
COTS payment processing applications that are sold or leased to the public have more stringent requirements for application security compliance. These requirements were originally developed, implemented and enforced by Visa and were known as the Payment Application Best Practices (PABP) standard.

Over the years these requirements served the industry well and have helped to protect Visa credit card commerce wherever compliant applications have been implemented. Unfortunately, however, the PABP was focused primarily upon applications processing Visa payments, and the enhanced security benefits could not be shared across all payment card brands. It became obvious that a broader, more encompassing application security standard was in order; this is where PCI Payment Application Data Security Standard (PA-DSS) came into play.

In November 2007, the PCI Security Standards Council (SSC) announced that PABP will be transcended by the PCI Payment Application Digital Security Standard (PA-DSS). In doing so the PCI SSC became the sole entity to maintain these new card brand independent requirements and oversee compliance with this new security standard. Payment applications that have been previously certified as compliant with the most current versions of the PABP specification will have their certification grandfathered for a limited time, and be given a grace period before they must be recertified under the new PA -DSS.

• Email
• Print
• Comments
• Digg This
• SlashDot

• All About the PCI Data Security Standard
• How to Evaluate (and Use) Web Application Security Scanners
• Eyeballing the Security of Application Service Providers
• FUD Watch | Vendor Hype Escalates Over PCI Deadline
• Strong Authentication for Online Banking: Success Factors