Java Reference
In-Depth Information
security standard that focuses on IT security requirements as well as proposes physical security
and policy-related implementation in the organization.
Web application security, therefore, is an important consideration from a PCI-DSS stand-
point. he standard, apart from requiring a strong authentication and authorization mechanism
and implementation, encryption implementation, and logging implementation, calls for secure
development practices as part of Requirement 6. his standard explicitly stresses the need for the
development of and adherence to a secure SDLC and change management process. his standard
also requires that public-facing Web applications be tested for common Web application vulner-
abilities, as laid out by the OWASP Top Ten or similar standards. Apart from these requirements,
this standard also delves into issues like code review, vulnerability assessment, and implementa-
tion of a Web application irewall.
Requirement 6 is meant for organizations that have their payment applications developed in-
house or through an outsourcing software development. However, the Payment Card Industry has
a separate standard for commercial applications, known as the Payment Application Data Security
Standard (PA-DSS), which we will deal with next.
5.3.2.2 PA-DSS
he Payment Application Data Security Standard is another standard from the Payment Card
Industry and is a subset of the PCI-DSS. It was seen that most merchants, processors, or service
providers were not able to get PCI compliant because the applications that they had deployed or
were utilizing did not support PCI compliance. Applications are a critical part of the payment
processing life cycle; whether an ecommerce application, a processing inancial application, or a
point of sale application (POS), these applications are deeply involved in the payment process-
ing cycle. Earlier, several of these applications did not support PCI compliance with respect to
security capabilities like encryption, key management, logging, authentication, and authorization.
Entities deploying these applications found it impossible to get PCI compliant. his prompted the
creation of the PA-DSS. he PA-DSS applies to applications that are sold, distributed, or licensed
to third parties that are part of the authorization or settlement cycle of a payment transaction.
For instance, if application vendor A develops an e-commerce application to be sold as a standard
application, the application will have to be validated PA-DSS to ensure that the clients of the
application vendor (typically merchants, where the e-commerce application is the initial point of
the payment authorization process) are not left with an application that is not conducive to PCI
compliance requirements. he PA-DSS requirements are as follows:
1. Do not retain full magnetic stripe, card validation, code or value, or PIN block data.
2. Protect stored cardholder data.
3. Provide secure authentication features.
4. Log payment application activity.
5. Develop secure payment applications.
6. Protect wireless transmissions.
7. Test payment applications to address vulnerabilities.
8. Facilitate secure network implementation.
9. Cardholder data must never be stored on a server connected to the Internet.
10. Facilitate secure remote software updates.
11. Facilitate secure remote access to payment application.
12. Encrypt sensitive traic over public networks.
Search WWH ::




Custom Search