Java Reference
In-Depth Information
Appendix A: Application
Security Guidelines
for the Payment Card
Industry Standards (PCI-
DSS and PA-DSS)
he PCI Standards have acquired an extremely important position in the world of information
security and compliance today. he objectives of the standard are to protect sensitive cardholder
information stored, processed, or transmitted by organizations all over the world. he PCI
Standards are divided into the Payment Card Industry Data Security Standard (PCI-DSS) and the
Payment Application Data Security Standard (PA-DSS). he PCI-DSS is the parent standard that
is applicable to organizations storing, processing, or transmitting cardholder information, and the
PA-DSS applies to commercially resold applications that are part of a card authorization or settle-
ment process. he PCI-DSS consists of 12 requirements encompassing all aspects of information
security including network security requirements, access control, encryption and data protection,
logging, and log management apart from other measures like risk management, security policies
and procedures, physical security, and so on. he PA-DSS is a subset of the PCI-DSS, which only
deals with security implementation and documentation requirements for applications that are to
be deployed in a cardholder data environment.
Applications are an important aspect of compliance for the PCI Standards. All the security
requirements of the standards, such as access control, encryption/data protection, and logging,
apply to applications as they are applicable to operating systems, network devices, and so on. We
have highlighted relevant sections of the PCI Standards relating to application security in the
book. Some of those sections are as follows:
◾
(along with other relevant security compliance standards) have been introduced to the read-
ers. he overview of the standards has been provided and some of the important require-
ments of the standards in relation to Web application security have been explored.
An overview of the PCI Standards has been provided in Section 5.3.2 where the standards
273
Search WWH ::
Custom Search