PCI Compliance
Section 6.2 of the Data Security Standard
Security lapses by merchants and institutions handling credit card data enable criminals to easily steal and use personal consumer financial information from payment card transactions and processing systems.
If you organizations is a key participant in payment card transactions, it is imperative that you use standard security procedures and technologies to thwart theft of cardholder data.
The Payment Card Industry Data Security Standard (PCI DSS) applies to any organization handling credit card data in the US. Attaining compliance requires you to pass a rigorous audit from a licensed auditor, to ensure you network and practices meet the industry's best practices. In particular, section 6.2.2 of the standard lists the following requirement:
Software development personnel working on bespoke and custom software are trained at least once every 12 months as follows:
- On software security relevant to their job function and development languages.
- Including secure software design and secure coding techniques.
- Including, if security testing tools are used, how to use the tools for detecting vulnerabilities in software.
Section 6.2.3 goes on to elaborate which vulnerabilities your team should be aware of:
Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software, including but not limited to the following:
- Injection attacks, including SQL, LDAP, XPath, or other command, parameter, object, fault, or injection-type flaws.
- Attacks on data and data structures, including attempts to manipulate buffers, pointers, input data, or shared data.
- Attacks on cryptography usage, including attempts to exploit weak, insecure, or inappropriate cryptographic implementations, algorithms, cipher suites, or modes of operation.
- Attacks on business logic, including attempts to abuse or bypass application features and functionalities through the manipulation of APIs, communication protocols and channels, clientside functionality, or other system/application functions and resources. This includes cross-site scripting (XSS) and cross-site request forgery (CSRF).
- Attacks on access control mechanisms, including attempts to bypass or abuse identification, authentication, or authorization mechanisms, or attempts to exploit weaknesses in the implementation of such mechanisms.
- Attacks via any "high-risk" vulnerabilities identified in the vulnerability identification process.
This page illustrates how the Hacksplaining training material helps you meet your PCI security requirements. Don't forget to purchase an Enterprise License if you need evidence of completion!
Injection attacks
SQL Injection
- If you are vulnerable to SQL Injection, attackers can run arbitrary commands against your database. Learn About This Vulnerability →
- If you are vulnerable to SQL Injection, attackers can run arbitrary commands against your database.
Command Execution
- If your application calls out to the OS, you need to be sure command strings are securely constructed. Learn About This Vulnerability →
- If your application calls out to the OS, you need to be sure command strings are securely constructed.
Regex Injection
- Regular expressions are frequently used in web-development, but can be abused by attackers. Learn About This Vulnerability →
- Regular expressions are frequently used in web-development, but can be abused by attackers.
Attacks on data and data structures
Attacks on cryptography usage
Attacks on business logic
Cross-Site Scripting
- If your site allows users to add content, you need to be sure that attackers cannot inject malicious JavaScript. Learn About This Vulnerability →
- If your site allows users to add content, you need to be sure that attackers cannot inject malicious JavaScript.
Reflected XSS
- When building a website, you need to be sure you do not accidentally create a channel that allows malicious JavaScript to be bounced off your server. Learn About This Vulnerability →
- When building a website, you need to be sure you do not accidentally create a channel that allows malicious JavaScript to be bounced off your server.
DOM-based XSS
- If you make use of URI fragments in your site, you need to ensure they cannot be abused to inject malicious JavaScript. Learn About This Vulnerability →
- If you make use of URI fragments in your site, you need to ensure they cannot be abused to inject malicious JavaScript.
Cross-Site Request Forgery
- If an attacker can forge HTTP requests to your site, they may be able to trick your users into triggering unintended actions. Learn About This Vulnerability →
- If an attacker can forge HTTP requests to your site, they may be able to trick your users into triggering unintended actions.
File Upload Vulnerabilities
- File uploads are an easy way for an attacker to inject malicious code into your application. Learn About This Vulnerability →
- File uploads are an easy way for an attacker to inject malicious code into your application.
Attacks on access control mechanisms
Broken Access Control
- All resources on your site need to have access control implemented, even if they aren't intended to be discoverable by a user. Learn About This Vulnerability →
- All resources on your site need to have access control implemented, even if they aren't intended to be discoverable by a user.
Directory Traversal
- Ensure file paths are safely interpreted, or hackers can access sensitive files on your server. Learn About This Vulnerability →
- Ensure file paths are safely interpreted, or hackers can access sensitive files on your server.
Privilege Escalation
- Privilege escalation occurs when an attacker exploits a vulnerability to impersonate another user or gain extra permissions. Learn About This Vulnerability →
- Privilege escalation occurs when an attacker exploits a vulnerability to impersonate another user or gain extra permissions.
Password Mismanagement
- Safe treatment of passwords is essential to a secure authentication system - yet many websites get this wrong. Learn About This Vulnerability →
- Safe treatment of passwords is essential to a secure authentication system - yet many websites get this wrong.
User Enumeration
- Leaking username information on your site makes things much easier for hackers. Learn About This Vulnerability →
- Leaking username information on your site makes things much easier for hackers.
High risk vulnerabilities identified in the vulnerability identification process
See the OWASP Top 10 for vulnerabilities you will likely need to cover.