Payment Card Industry Data Security Standard and the Need for Software Assurance

In the wake of major security breaches that resulted in theft of customer credit card data, the major credit card vendors including MasterCard, VISA, JCB, Discover Financial Services and American Express have banded together to mandate security requirements for any of their members, merchants and service providers that store, process or transmit cardholder data. This standard includes specific instructions to analyze web-facing applications for common security vulnerabilities.

Originally spearheaded by MasterCard and Visa International, the Payment Card Industry Data Security Standard (PCI DSS) was originally released in January 2005 and was recently updated to version 1.1 in conjunction with the formation of the PCI Security Standards Council, an independent body who will be in charge of the ongoing development of the PCI Standard as it pertains to the security of customer account data.

While the PCI Security Standards Council will not be enforcing compliance, the major credit card companies will likely be demanding proof of compliance in order to do business with them. Organizations that store, process, or transmit credit card data must demonstrate compliance with the PCI security requirements which include, process, policy, network configuration, and vulnerability management of all system components.

The updated PCI 1.1 clarifies more specific requirements for compliance, giving more detailed implementation guidance than the requirements originally set forth in January 2005. However, PCI 1.1 adds detailed application security requirements that include an update to Requirement 6 “Develop and Maintain Secure Systems and Applications”, requiring all web-facing applications to be protected against known attacks by either of the following methods:

	Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
	Verify that custom application code is periodically reviewed by an organization that specializes in application security; that all coding vulnerabilities were corrected; and that the application was re-evaluated after the corrections
	Installing an application-layer firewall in front of web-facing applications NOTE: This method is considered a best practice until June 30, 2008, after which it becomes a requirement¹

According to Gartner, enterprises that process credit card information should “scan applications for vulnerabilities, using either manual code reviews or application-scanning tools (which are better-equipped and more reliable). This practice should be given priority over the use of Web application firewalls, which should be used in addition to, not instead of, ensuring that applications are secure."²

The only way to effectively review source code for vulnerabilities, both code in development and in production, is through the use of a tool like Ounce. Ounce offers a reliable, repeatable process to identify software vulnerabilities, allowing enterprises to efficiently analyze their source code, remediate vulnerabilities, and demonstrate compliance.

1. Payment Card Information Data Security Standard 1.1, September 2006
2. Gartner Research, “Changes Will Improve PCI Security, But Not Enough”, A. Litan, September 2006