PCI-DSS, ITS HISTORY AND OUTLINED VULNERABILITIES WHEN TESTING SOFTWARES.

PCI-DSS (PAYMENT CARD INDUSTRY AND DATA SECURITY STANDARDS):

The PCI-DSS is a documentation provided on security regarding how data related to payment cards and information’s are handled, transmitted, and stored.

The rising threats and data compromise which has been an often occurrence reported by security expert, has always been on issues that deals with improper data security, either from unpatched vulnerabilities, security misconfigurations, injection attacks, and so many other forms of security flaws, leading to data compromise.

 With the shift of technology, Organizations globally process all forms of payment digitally either through credit card payments forms, bank wire transfers, checking’s etc.

By the virtue of trust their various customers have using their platforms, organizations who accept credit card, as a form of payment methods, are expected to utilize standard security practices in protecting these payments cards information’s belonging to their customers.

 

PCI-DSS-ITS-HISTORY-AND-OUTLINED-VULNERABILITIES-WHEN-TESTING-SOFTWARES.png
                    The latest version being PCI-DSS V4.0 released on March 31, 2022. Image-source: Fixitgearware Security

HISTORY OF PCI-DSS:

The Payment Card Industry and Data Security Standard was initiated by top credit card companies comprising of VISA, MASTERCARD, AMERICAN EXPRESS, DISCOVER, and JCB International. The objectives are to assist in safeguarding payment card information from unauthorized access and infrastructure compromise.

In 2024, these credit card companies came together to create a policy that could serve as guidelines in addressing the issues in existing security standards. The collaboration gave birth to the first version of the PCI-DSS document, V1.0 outlining the baseline security requirements that merchants should adhere to on all their payment card processing platform, and how payment card data are handled.

PCI-DSS document over the years, has evolved to the latest version being PCI-DSS V4.0 released on March 31, 2022, and has contributed tremendously to the fight against data reaches, and vulnerabilities exploits across the payment card industry.

While these documents were first instituted in the United States of America, organizations globally handling all forms of credit card payments, have adopted the information outlined in this document, and tweak it  to suit how their organization handle card and data security (not lesser than the standard but even greater e.g. if the standard requires scanning database where these credits cards are stored every month, most organizations can tweak it to be a weekly process, a more enhanced security measures).

PCI-DSS DOCUMENTATION AND REQUIREMENTS:

The PCI-DSS 4.0 document, which consists of over 360-pages, comprises of vast expectations on maintaining the security regarding card payment data. It comprises but not limited to PCI-DSS assessment processes, implementing and validating PCI-DSS, Testing methods for PCI-DSS requirements, etc.

For example,

Testing methods for PCI-DSS Requirements:

This method, which is identified in the testing procedures for each requirement, outlines the expectation of activities to be carried out by the security audit personnel (accessor), and to ensure that the facility meets the expected outcomes or requirements regarding credit card data security.

 

The objective of these testing’s to be carried out includes:

  1. Examination:

The security investigator or examiner is expected to critically evaluate the data evidence which comprises of documents (physical & electronic), screenshots, configuration files, data files, and system audit logs, etc.

  1. Observation:

Observing an action which occurs in the environment is part of the testing objectives. The security examiner or investigator should observe how personnels of the organization carry out their task. These include task performance on processes, system components and how they respond to input, environmental situations or conditions, and physical controls or security.

  1. By Interviewing:

The security examiner should initiate conversations with individual or personnels with a word of mouth, with the sole objective of validating or obtaining trustworthy information, that truly activities regarding payment card security are carried out, and if the personnel have a knowledge or understanding about specific information’s.

Carrying out the Testing methods for PCI-DSS requirements ensures the solidifying of the information disclosed by the organization regarding meeting the standards and requirement as outlined in the PCI-DSS V4.0 docs.

In addition, both the security examiner, and the organization being accessed can have a clear understanding of additional required assessment activities to be performed.

The items being examined, and the organization’s personnel to be interviewed, are to be appropriate for both the requirements that are being assessed, and the implementation of each entity. All documentation regarding the assessment results should include the activities performed, and the outcomes of these activities by the security examiner.

 

EXPECTATION REGARDING SOFTWARE DEVELOPER OR PERSONNEL:

The requirements outline the necessities organizations are to institute on its software development personnel. These includes but not limited to:

  1. Software development personnels are to receive security training at least once a year.
  2. This training should include various software security practices that are relevant to their job functions, and software programming language (e.g. language which the software application is developed on).
  3. The principle of secured software designs and secure coding techniques should be implemented.
  4. Security testing tools, how they are used, and how they detect vulnerabilities in software, should be included as well.

 

TESTING PROCEDURES ON VULNERABILITIES THE SOFTWARE DEVELOPER SHOULD CONDUCT:

This information regarding common vulnerabilities listed below, is an extraction from the document.

The defined approach during security testing or testing procedures, comprises of the following:

  • Injection attacks:

Software developers are to get themselves familiar with, and test for injection attacks, which includes SQL, LDAP, XPath, or other command, parameter, object, fault, or injection-type flaws. which may compromise the PCI-DSS on payment card information.

  • Attacks on data and data structures:

Attacks that are pertinent to data structures are to be part of the approach. This includes attempts to manipulate buffers, pointers, input data, or shared data.

  • Attacks on cryptography usage:

This comprises of attacks pertinent in exploiting weak, insecure, or inappropriate cryptographic implementations, algorithms, cipher suites, hash functions, or modes of operation, and should be part of the testing procedures.

  • Attacks on business logic:

The business logic attack includes attacks which attempts to abuse or bypass application features and functionalities through the manipulation of APIs, communication protocols and channels, client-side functionality, or other system/application functions and resources. This includes cross-site scripting (XSS) and cross-site request forgery (CSRF).

  • Attacks on access control mechanisms:

Access control flaws are a result of security misconfigurations. These attacks include attempts to bypass or abuse identification, authentication, or authorization mechanisms, or attempts to exploit weaknesses in the implementation of such mechanisms.

  • Attacks via any “high-risk” vulnerabilities identified in the vulnerability identification process, as defined in Requirement 6.3.1, of the PCI-DSS document V4.0.

While the PCI-DSS document is a lengthy read, cybersecurity professionals are advised to get familiar with the various information outlined in this document.

 This information’s, contained in this document, are not limited to any form of Teaming (e.g. Red, Blue, Yellow, Green, etc.) in cybersecurity, as they also outline trending vulnerabilities targeting card information’s, that these various teams can learn about. To get a copy of the latest version of this document, kindly visit their official website.

 

 

 

Put your comments below in the comment section on your thoughts about this.

Find this article and information helpful? Show some love and support  “Click-Here
5 1 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments