PCI Compliance

Section 6.2 of the Data Security Standard

Security lapses by merchants and institutions handling credit card data enable criminals to easily steal and use personal consumer financial information from payment card transactions and processing systems.

If you organizations is a key participant in payment card transactions, it is imperative that you use standard security procedures and technologies to thwart theft of cardholder data.

The Payment Card Industry Data Security Standard (PCI DSS) applies to any organization handling credit card data in the US. Attaining compliance requires you to pass a rigorous audit from a licensed auditor, to ensure you network and practices meet the industry's best practices. In particular, section 6.2.2 of the standard lists the following requirement:

Software development personnel working on bespoke and custom software are trained at least once every 12 months as follows:

  • On software security relevant to their job function and development languages.
  • Including secure software design and secure coding techniques.
  • Including, if security testing tools are used, how to use the tools for detecting vulnerabilities in software.

Section 6.2.3 goes on to elaborate which vulnerabilities your team should be aware of:

Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software, including but not limited to the following:

  • Injection attacks, including SQL, LDAP, XPath, or other command, parameter, object, fault, or injection-type flaws.
  • Attacks on data and data structures, including attempts to manipulate buffers, pointers, input data, or shared data.
  • Attacks on cryptography usage, including attempts to exploit weak, insecure, or inappropriate cryptographic implementations, algorithms, cipher suites, or modes of operation.
  • Attacks on business logic, including attempts to abuse or bypass application features and functionalities through the manipulation of APIs, communication protocols and channels, clientside functionality, or other system/application functions and resources. This includes cross-site scripting (XSS) and cross-site request forgery (CSRF).
  • Attacks on access control mechanisms, including attempts to bypass or abuse identification, authentication, or authorization mechanisms, or attempts to exploit weaknesses in the implementation of such mechanisms.
  • Attacks via any "high-risk" vulnerabilities identified in the vulnerability identification process.

This page illustrates how the Hacksplaining training material helps you meet your PCI security requirements. Don't forget to purchase an Enterprise License if you need evidence of completion!

Injection attacks

Attacks on data and data structures

Attacks on cryptography usage

Attacks on business logic

Attacks on access control mechanisms

High risk vulnerabilities identified in the vulnerability identification process

See the OWASP Top 10 for vulnerabilities you will likely need to cover.