Payment Card Industry

Industry Situation

Any organization that stores or process credit card information must comply with the Payment Card Industry (PCI) Data Security Standards (DSS) or face the loss of their card processing privileges. First developed in 2005, and revised in 2006, the PCI DSS outlines a series of IT initiatives that organizations must adopt. With the increase in both the scope and severity of application layer attacks, application security has become a major area of focus in the PCI DSS. Specifically, the PCI DSS mandates that all organizations:

Core Application Security Mandates

Section 3: Protect Stored Cardholder Data
• Do not store sensitive authentication data after authorization
• Do not store the full contents of any track from the magnetic stripe
• Mask PAN when displayed

Section 6: Develop secure applications and systems
• Review custom application code to identify coding vulnerabilities
• Cover prevention of common coding vulnerabilities in software development processes
• Train developers on secure coding practices
• Develop all web applications based on secure coding guidelines such as the OWASP guidelines
• Have all customer application code reviewed for common vulnerabilities or install an application layer firewall

Mandates that can be assisted with Application Security Techniques

Section 4: Encrypt transmission of cardholder data across open, public networks
• 4.2: Never send unencrypted PANs by end-user messaging technologies

Section 8: Assign a unique ID to each person with computer access
• Render all passwords unreadable during transmission and storage on all system components using
• If a session has been idle for more than 15 minutes, require the user to re-enter the password to reactivate the terminal

Section 10: Regularly test security systems and processes
• Implement automated audit trails for all system components to reconstruct
• Record at least the following audit trail entries for all system components for each event
• Secure audit trails so they cannot be altered

Key Challenges for Passing PCI

• Poorly coded Web applications leading to SQL injection vulnerabilities is one of the top five reasons for a PCI audit failure
  - Forrester Research
• In 2006, section 6 (Develop and Maintain secure systems and applications) was the 9th biggest problem for companies. In 2007, it was the 2nd biggest problem
  - Qualys
• In a sample of 85K forensic cases, cross-site scripting was one of the top 10 vulnerabilities
  - Top Tier US Forensics company
• 56% percent of organizations fail section 6
  - VeriSign

Fortify PCI Experience

• Participating Organization of the PCI Council
• Member of the ICSA Labs Web Application Firewall Consortium
• The only vendor who enables both source code reviews and application firewalls
• Two of the top 5 Online US retailers chose Fortify to secure their applications
• Merchants of all sizes have selected Fortify to help them pass PCI audits

Helpful Industry Links

• PCI Council
• Fortify Vulnerability Database
• OWASP

How Fortify can Help

Fortify offers a comprehensive suite of solutions, called Fortify 360, which enables an organization to conduct static analysis of an application’s source code, dynamic analysis of a running application, and real time monitoring and protection for a deployed application. No other company offers all three of these solutions in one integrated platform. For a company trying to pass PCI compliance, Fortify is the solution to deal with all application layer requirements, whether it be a dynamic security test, a code review, or an application layer firewall. Fortify is trusted by organizations of all sizes to help pass PCI compliance audits and is at the cutting edge of vulnerability research, tool development, and deployment practices.