Making sense of PCI Compliance

One of the interesting tasks at my previous startup was securing PCI compliance for our system.   Important (and required by law, at that) to any site that does credit card processing or transaction, the exercise proved to be a challenging process.

Here are some notes and tips learned throughout the experience:

1. Do your own security scan/check to catch the usual suspects — SQL injection, Cross-site scripting and other services’ vulnerabilities (CVE).  While it’s true that most frameworks should address these concerns, I found other interesting exploits during the scan.  Here are two sites that were immensely helpful: XSS cheat sheetSQL injection cheat sheet.

Take note of those tests that fail in your vulnerability scans.  Add them to your test library and routinely check against them for any page or module you add.

2. Ensure that you have strong security and network policies that you are implementing religiously.  Although an audit is not usually required for most of the websites that process credit cards online, it still behooves you/your company to actually implement the policies you’ve checked off.  Also, most of the vendors would routinely check your site every few months or so to ensure continued compliance.

3. Work with your vendor, ISP and other providers.  Some CVE are outdated and frankly, idiotic.  So be prepared to challenge the security vendors’ vulnerability assessment with some proof from your ISP and vendor.

4. Compliance != Security.  Don’t be lulled into a fall sense of, well, security once you have achieved compliance. On one hand, most of the vulnerability scans will probably re-occur after certain number of months. On the other hand, you should always (pro)actively seek ways to improve your system.  Security, as I mentioned in my earlier post, is not some software you install, or some certificate from a vendor you can hang your hat on.  It is an ongoing process and a mindset.  Design your code and architecture with security in mind and you have taken the first important step towards securing your applications.

Note/Aside: You could also ‘outsource’ compliance by handing off the responsibility to a payment gateway that does processing and saving of credit card information.

At the end of the day, the exercise proved to be helpful not only for compliance’s sake, but forced us to re-think and update our security policies.  More then acquiring that security assessor’s compliance skill, the entire experience afforded an added layer of peace of mind against common attacks and vulnerabilities.

Share and Enjoy:
  • Print
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • Blogplay
  • email
  • LinkedIn
  • PDF
  • RSS
  • StumbleUpon
  • Twitter
This entry was posted in Uncategorized. Bookmark the permalink.

Comments:

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>