The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, Mastercard, American Express and Discover. The 12 requirements are broken down into 6 main areas all developers need to be aware of when building or deploying an application on the internet.
The six main areas are as follows: Build and Maintain a Secure Network, Protect Cardholder Data, Maintain a Vulnerability Management Program, Implement Strong Access Control Measures, Regularly Monitor and Test Networks, and Maintain an Information Security Policy. Following this guide will help you increase the security of your application(s) that run on the internet.
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Firewall best practices are well documented, the most important part is maintaining it. Organizations should use an implicit deny all rule at the top of their firewall ruleset so that nothing slips through. This is extremely important when building applications, because web servers are generally open to the public internet.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
The only exception to this requirement is when an organization has a really good reason why they require customers or end users to change their password on first login. Developers should make a note of this, and also document the default passwords their application uses. This is important because attackers love to use default credentials when attempting to break into systems.
Requirement 3: Protect stored cardholder data
This refers mainly to how credit card information is stored on non-production servers, or locally on developers workstations. When storing credit card information it is recommended to use a tool such as KeePass or LastPass which can create strong encryption keys and salt
Requirement 4: Encrypt transmission of cardholder data across open public networks
When discussing this requirement developers should pay close attention to protocols that might be used for transmitting data. For example, if a RESTful HTTP API is in use, then SSL should be used in order to comply with this requirement.
Requirement 5: Use and regularly update anti-virus software or programs
Any organization that does not have antivirus installed on their systems at all are exposing themselves to increased risk. Fortunately almost every operating system has a tool built in, and for those that don't organizations can look at free antivirus tools such as Avast or AVG
Requirement 6: Develop and maintain secure systems and applications
This requirement seems very vague, however it applies to all systems and components within an organization. Developers should be sure to follow industry best practices, as well as consult internal security experts for guidance.
Requirement 7: Restrict access to cardholder data by business need-to-know
Organizations that have a formal process for determining who has access to credit card data should consult their PCI compliance toolkit for more information on how to approach this requirement. If a formal process is not in place, then developers should always assume that other developers within an organization do not need access to credit card data.
Requirement 8: Assign a unique ID to each person with computer access
Assigning users to groups based on their job functions is extremely important for PCI compliance, especially if layering of access control is used. This means that developers should only have the bare minimum privileges to do their job.
Requirement 9: Restrict physical access to cardholder data
This requirement will be difficult for most organizations, especially if they have a large number of developers in every department. The easiest way to comply with this is by ensuring that servers and workstations are stored in locked cabinets when unattended. This applies equally to laptops, so it is important to ensure that any hardware the organization uses follows the same guidelines.
Requirement 10: Track and monitor all access to network resources and cardholder data
There are many great tools out there for tracking, monitoring, and alerting regarding security events. This includes monitoring changes made by administrators or developers within an organization
Requirement 11: Regularly test security systems and processes
It is important to remember, in a PCI DSS environment testing should be performed in a lab with a copy of production data. This ensures that actual live customer data is not at risk when performing tests on the infrastructure. It is recommended to have full documentation of these testing plans, and to ensure that they are communicated to concerned parties including developers, operations, and security.
Requirement 12: Maintain a policy that addresses information security for all personnel
This requirement is one of the most important aspects of PCI compliance. The overarching goal here is to ensure that every employee within an organization understands their role in protecting credit card data. This should be part of the onboarding process for new hire, and ongoing training. If an organization does not have an Information Security Policy currently in place, then developers should work with their management to ensure it is developed.
