Meeting the new PCI Application Security Requirements: 
Building Security In


Since 2005, over 215 million data records have been exposed as the result of security breaches. Uproar in the press, worldwide legislative bodies, and among consumers has spurred industry groups to work toward PCI regulations and best practices concerning the security of private data.

With the publication of the Payment Card Industry Data Security Standard (PCI DSS) merchants processing credit card data across the global marketplace now have a much clearer road map for establishing the proper controls and demonstrating the exercise of due care in the handling of their customers’ credit card data.

Focus on Application Security
Application security represents one of the areas most challenging to organizations subject to PCI regulations. Issues of both data privacy and security are reflected in Requirements 3 and 6, including a “best practices” focus on source code analysis , which will become a full requirement in June 2008.

  • Requirement 3: Protect stored cardholder data
      • There is no more critical requirement than the need to protect cardholder data in its stored state. Applications play a critical role in this task, particularly through the proper implementation of appropriate access control and cryptography. Compliance with this requirement cannot be assured unless the applications processing and storing the data have been comprehensively reviewed.
  • Requirement 6: Develop and maintain secure systems and applications
      • This requirement is the core regulation addressing the need to validate the security of sensitive applications. It directly addresses the foundation of secure applications: the introduction of security processes and review throughout the software development lifecycle. Planning, design, development, and deployment: all the stages of the lifecycle must make security considerations a top priority to make compliance possible and demonstrable.

PCI Compliance and Ounce
Ounce Labs has been one of the leading source code analysis vendors to provide PCI-specific capabilities within its tool. Through the company’s PCI “SmartAudit” report, customers are able to automate the assessment of the vulnerability state of their critical applications. Only the Ounce Labs solution has been designed from the ground up to provide your executives, analysts, developers and auditors with the answers they need to manage the risk from vulnerable software:

  • Quickly identify the most serious security risks: Ounce’s unique analysis capabilities identify the most critical coding errors and design flaws
  • Maximize the effectiveness of your security stakeholders:  The fastest time-to-results streamlines security efforts throughout the SDLC, for all stakeholders
  • Manage risk across your enterprise portfolio:  Centralized dashboards and policy management capabilities allow at-a-glance information about your software risk, enterprise-wide.

With a solution such as Ounce, organizations can take a truly systematic, measurable approach to PCI compliance by analyzing critical software for vulnerabilities throughout the development lifecycle, evaluating the work of outsourced developers, and proving the results of compliance efforts to management and regulators.

For more information about PCI compliance and Ounce, click here to download our white paper entitled, “Meeting the new PCI Application Security Requirements:  Building Security In.”

Back to Top