Key points from The Complete Guide to Application Security for PCI-DSS

The increasing popularity of online payment systems results from the world’s gradual transition to a cashless and contactless digital economy — an economy, projected in a recent Huawei white paper, to be worth $23 trillion by 2025. With digital commerce emerging as the largest segment in the projected $8.49 trillion global digital payments market in 2022, it’s not surprising that businesses are investing heavy capital in integrating this functionality into their operating platforms.

Credit cards remain a top favorite among the many ways consumers can now make purchases online. WorldPay’s Global Payment Report revealed that 34% of global consumers used credit and debit cards while purchasing items online. Credit cards were also the top payment option for point of sale (POS) transactions. However, concerns over the security risks of this technology continue to grow. The COVID-19 pandemic proved to be an aggravating factor as the U.S Federal Trade Commission (FTC) discovered a 44% increase in credit card fraud reports between 2019 and 2020. In 2021 the FTC further reported that it received consumer fraud reports totaling over $5.8 billion, a whopping 70% increase on the previous year. 390,000 of these reports were credit card frauds that led to identity theft.

Considering the security risks confronting the 2.8 billion credit cards used globally, protecting sensitive cardholder data has never been more crucial. The good news is that businesses can protect consumer data by strengthening their payment processing software and platforms with standard security procedures and technologies that can avert cardholder data breaches. Creating those security procedures is the focus of the Payment Card Industry Data Security Standard (PCI-DSS), a comprehensive list of 12 significant metrics against which businesses must measure their card payment policies and procedures. PCI-DSS guarantees compliance with its standard will ward off attackers by prioritizing the defense of development and infrastructure systems.

PCI-DSS 4.0 is the latest version of the security standard, and here are some of its recommendations for businesses to protect cardholder information on the payment processing software they use.

1. Build security into the software lifecycle

Whether the payment processing software is developed in-house or outsourced to a third party, it’s critical to prioritize security at every stage of the software’s lifecycle to ensure it’s hardened against attacks. While PCI SSC (PCI Security Standards Council) has a list of validated secure software programs and vendors, organizations could still acquire customized software. However, PCI-DSS’ Requirement 6.1.2 mandates organizations that develop bespoke software to ensure the software aligns with either one of PCI SSC’s Secure Software or Secure SLC standards.

In Requirement 6.2.2, software developers in charge of building products that handle personally identifiable information (PII) must also be trained yearly on secure software best practices to ensure they can spot, monitor, and correct potential attack vectors. This training will also include using automated security testing tools like dynamic application security testing (DAST), static application security tests (SAST), and other software composition analysis (SCA) tools during the evaluation stage of a software’s lifecycle. On average, organizations that fail to implement these mature security testing processes during their software lifecycle run a higher risk of exploitation.

2. Invest in continuous vulnerability analysis and management

During software testing, it is normal to identify a few security vulnerabilities. Upon identification, the development team should then make remediation plans. However, it is vital to note that vulnerabilities don’t come from the application alone but also the framework it runs on. Operating system vulnerabilities, for example, create backdoors for attackers to access software applications and cart away data crown jewels. For public-facing software applications, companies could either review yearly and after every significant change or deploy an actively-running automated solution that would scan for these threats in real-time (6.4.1).

To combat such attacks, PCI’s best practice requires businesses to fulfill regular vulnerability scanning requirements to evaluate the security posture of endpoints and network devices. For example, according to PCI-DSS 11.3.1.3 and 11.3.2.1, organizations must run internal and external vulnerability scans every three months and rescan after any significant change.

After that, developing comprehensive vulnerability management processes is the next step. In line with PCI-DSS 6.3, businesses must identify and address security vulnerabilities by monitoring security alerts from industry-recognized sources like cyber emergency response teams (CERTs). They must then catalog this information by assigning a risk ranking (e.g., “high,” “medium,” or “low”) based on the potential impact levels and industry best practices. Requirement 6.3.2 also maintains that companies must “maintain an inventory of bespoke and custom software to facilitate vulnerability and patch management.”

Once a vulnerability analysis is complete and a structure has been created, the next step is to automate the process to ensure a constant evaluation of the infrastructure. In 2021, at least one vulnerability was found in over 25,000 software applications, and more are being discovered daily. Attackers are also looking for new ways to exploit vulnerabilities. As a result, businesses must invest in automating these processes to stay ahead of the opposition.

3. Implement a set of consistent change management processes

Whether a system component is removed, added, or modified, those changes must be consistently managed through a set of change management processes. Before effecting change, it must go through a procedure of description, documentation of its impact on security and the approval of relevant parties, testing, and a contingency plan in case of failure (PCI DSS 6.5.1). The same applies to bespoke and custom software, as changes must comply with Requirement 6.2.4 before deployment.

These processes however need to be structured and consistent to not only ensure that organizations are not caught off guard, but to also guarantee a more solid and secure code during the development cycle. In addition, according to Requirement 6.5.2, once the change is complete, organizations must validate their systems to ensure they are still PCI-DSS compliant.

Until March 2025, these PCI requirements are considered the “best practices,” and entities will not be assessed for full compliance till then. However, for the next 18 months (and even more), organizations will have access to both v3.2.1 and v4.0.

Conclusion

The overarching purpose of fulfilling PCI-DSS requirements is not to merely tick compliance boxes but to create an unbeatable security structure that protects customer data and guarantees business success. Business leaders must have a “now or never” approach to PCI-DSS compliance – not just because organizations who rank high on compliance lists attract more investment, but because of the actual security value of compliance. The enterprise attack surface continues to widen, and threat actors won’t stop their exploitation attempts. So, it’s now or never. While organizations who treat compliance as a high priority will stay further ahead of the curve, those who do otherwise will have their defenses crippled sooner than later.

For more information about PCI compliance areas for protecting payment card software, you can access the complete guide by HelpSystems here.

About the Author: Kolawole Samuel Adebayo is a Harvard-trained tech entrepreneur, tech enthusiast, tech writer/journalist, and an executive ghostwriter. He has 10+ years of experience covering various tech news stories, writing thought leadership blogs, reports, datasheets, and case studies. His areas of expertise include cybersecurity, AI, ML, DevOps, and big data for C-level executive audiences. He has written for several publications, including VentureBeat, RSI Security, NWTechs, WATI Security, Draft.dev, Codecov, Teleport, and many more. He is also an award-winning poet, with works published in several journals around the world.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.