One of the interesting tasks at my previous startup was securing PCI compliance for our system. Important (and required by law, at that) to any site that does credit card processing or transaction, the exercise proved to be a challenging process.
Here are some notes and tips learned throughout the experience:
1. Do your own security scan/check to catch the usual suspects — SQL injection, Cross-site scripting and other services’ vulnerabilities (CVE). While it’s true that most frameworks should address these concerns, I found other interesting exploits during the scan. Here are two sites that were immensely helpful: XSS cheat sheet, SQL injection cheat sheet.
Take note of those tests that fail in your vulnerability scans. Add them to your test library and routinely check against them for any page or module you add.
2. Ensure that you have strong security and network policies that you are implementing religiously. Although an audit is not usually required for most of the websites that process credit cards online, it still behooves you/your company to actually implement the policies you’ve checked off. Also, most of the vendors would routinely check your site every few months or so to ensure continued compliance.
3. Work with your vendor, ISP and other providers. Some CVE are outdated and frankly, idiotic. So be prepared to challenge the security vendors’ vulnerability assessment with some proof from your ISP and vendor.
4. Compliance != Security. Don’t be lulled into a fall sense of, well, security once you have achieved compliance. On one hand, most of the vulnerability scans will probably re-occur after certain number of months. On the other hand, you should always (pro)actively seek ways to improve your system. Security, as I mentioned in my earlier post, is not some software you install, or some certificate from a vendor you can hang your hat on. It is an ongoing process and a mindset. Design your code and architecture with security in mind and you have taken the first important step towards securing your applications.
Note/Aside: You could also ‘outsource’ compliance by handing off the responsibility to a payment gateway that does processing and saving of credit card information.
At the end of the day, the exercise proved to be helpful not only for compliance’s sake, but forced us to re-think and update our security policies. More then acquiring that security assessor’s compliance skill, the entire experience afforded an added layer of peace of mind against common attacks and vulnerabilities.