White Paper Guide to PCI Application Security Compliance for Merchants and Service Providers
Contents Overview... 3 I. The PCI DSS Requirements... 3 II. Compliance and Validation Requirements... 4 III. The Current State of PCI Compliance... 5 IV. PCI is increasing its Focus on Application Security... 5 V. How Veracode Can Help... 6 VI. Summary and Conclusions... 9 About Veracode... 9 2008 Veracode, Inc. 2
Overview Triggered by a number of security breaches and concerns over the abuse and theft of credit card data, major credit card companies including American Express, Discover, JCB, Master Card and Visa formed the PCI Security Standards Council (PCI SSC) in September 2006. The PCI Data Security Standard (PCI DSS) delineates requirements that vendors must meet in order to conduct business transactions using payment cards. New PCI requirements that specifically focus on application security become mandatory by June 2008. With their own brands at risk, merchants and service providers must secure their applications from potential vulnerabilities to comply with PCI standards. I. The PCI DSS Requirements The PCI DSS requirements apply to all payment card network members, merchants and service providers that store, process or transmit cardholder data. Organizations that do not comply with the standards may be fined, or lose the ability to accept credit cards altogether. Further pressure to comply with PCI requirements has resulted from data breach disclosure laws that exist in approximately 40 U.S. states and additional legislation that has been introduced in states such as Minnesota (Plastic Card Security Act) or is being considered by states to codify the guidelines of the PCI DSS into state laws. These laws focus on making breached entities financially liable to credit unions and banks for the costs associated with data loss. There are 12 Payment Card Industry (PCI) DSS requirements, organized in 6 logically related groups. Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security 3
II. Compliance and Validation Requirements All merchants and service providers must comply with PCI DSS. Actual validation of merchant and service provider compliance varies by payment brand. Each card network maintains its own definition of merchant level and sets the requirements for actual compliance. The chart below shows current requirements for each merchant and service provider level for the three main payment brands. 4
III. The Current State of PCI Compliance According to Visa only 39 % of Level 1 Merchants, 33 % of Level 2 Merchants are PCI DSS Compliant as of June 2007. Based on information from Visa, fines have totaled $4.6 million in 2006, up from $3.4 million in 2005. Additionally, PCI enforcement is now expanding beyond the U.S. and Canada to other countries. Organizations that do not comply with the standards may be fined up to $500,000 for each instance of non compliance, or they may lose the ability to accept credit cards altogether. IV. PCI is increasing its Focus on Application Security With enterprises largely successful in securing their networks, the application layer has become the criminals' new favorite target and for good reason. Applications are responsible for controlling access to sensitive business transactions and mission critical customer data. Not surprisingly, 75% of all new attacks are against applications, not networks, and 90% of all vulnerabilities are in software, according to Gartner, Inc. With the release of PCI 1.1 in September 2006, the PCI DSS placed a stronger emphasis on application security. Among the enhancements are provisions for detailed application security requirements that include code reviews and proper handling of test, development and production environments and data. Web facing applications must also have either custom application code reviewed by a firm that specialized in application security or an application layer firewall installed in front of the application. This is currently a best practice, and will become a mandatory requirement (section 6.6) starting in June 2008. Although both solutions can be used to meet PCI compliance requirements, Gartner strongly recommends application security reviews: Scan applications for vulnerabilities, using either manual code reviews or application scanning tools (which are better equipped and more reliable). This practice should be given priority over the use of Web application firewalls, which should be used in addition to, not instead of, ensuring that applications are secure. Avivah Litan Gartner Changes Will Improve PCI Security, But Not Enough Additionally, Gartner goes on to comment: The PCI standard allows the use of Web application firewalls to be placed in front of applications that have not been tested. These products can be effective in blocking many attacks against typical Web based applications, but they do require tuning and administrative support and often need to be integrated into application delivery controller architectures. Gartner recommends that enterprises use Web application firewalls only as a last resort, or, when budget permits, as an added security precaution. Avivah Litan and John Pescatore Gartner Answers to Common Questions on PCI Compliance 5
V. How Veracode Can Help To help address the needs for merchants and service providers to assess their application security risks, Veracode has designed the first complete, automated application security solution that incorporates multiple vulnerability scanning technologies in an integrated on demand model. This service helps enterprises review web applications for security vulnerabilities related to PCI compliance. Based on its centralized on demand platform, Veracode can deliver results in a matter of hours. Veracode SecurityReview for PCI provides merchants and service providers with an independent security assessment of custom web applications or purchased software to evaluate PCI compliance. This reduces the burden of manually evaluating software and eliminates the need to have access to the source code protecting the intellectual property of your software vendor and the integrity of your working relationship with the supplier. How Veracode s SecurityReview Works As an easy to use on demand service, all Veracode requires from the merchant to scan custom or thirdparty web applications is either a URL of the web application or the vendor contact for third parties that provided software to the merchant. If third party software is involved, Veracode will contact the payment software vendor. Since Veracode s on demand service is based on binary analysis, no source code is required to conduct the assessment. Results to the merchant are available in as quickly as 24 to 72 hours, providing security ratings, high level vulnerability information and detailed PCI reports. 6
Veracode s Rating Service A standard component of Veracode SecurityReview for PCI is Veracode s Rating Service, the industry s first standards based ratings service for determining security levels in software. The Veracode Software Security Ratings Service provides a pragmatic way for enterprises and ISVs to measure, compare and improve application security levels and achieve PCI compliance. Veracode s Software Security Ratings Service is based on industry standards including MITRE s Common Weakness Enumeration (CWE) for classification of software weaknesses and FIRST s Common Vulnerability Scoring System (CVSS) for severity and ease of exploitability. Veracode is the only organization to combine these standards into a meaningful and practical way to assess software security across internally and externally developed applications. Similar to a Moody s for financial services or Consumer Reports for household products, Veracode provides an easy to understand rating service based on a three letter system that combines multiple software security testing techniques. The assurance level of the software determines whether one, two are all three testing techniques are used. The rating can easily be used to document requirements for PCI compliance. Veracode s Support for Specific PCI DSS Requirements Working from PCI DSS version 1.1, released Sept. 2006, Veracode can assist with the controls listed below by creating contextual reports complete with remediation data: the certifying entity can use these records as proof of a valid and efficient control. Veracode helps organizations in achieving or maintaining compliance by using a combination of its patented, automated static binary analysis and automated dynamic analysis ( penetration testing ). Below are the PCI DSS Control regulations and how Veracode addresses them. 7
6.3 Develop software based on industry best practices. Veracode applies the Common Vulnerability Scoring System and the Common Weakness Enumeration to our scans as a method of establishing a transparent baseline. Using the Veracode service to remediate vulnerabilities within application is an effective method of secure software development. Additionally, using automated dynamic and binary analysis, Veracode looks for the OWASP top ten, the NIST list as well as many other business best practices. 6.3.7 Review of custom code prior to release to production or customers in order to identify any potential coding vulnerabilities. Veracode s services, working with the entire application code base, can analyze the entire application, based on its binary analysis approach. 6.5 Develop all web applications based on secure coding guidelines OWASP Top 10. 6.5.1 Unvalidated input 6.5.2 Broken access control (e.g. malicious use of user IDs) 6.5.3 Broken authentication and session management (use of account credentials and session cookies) 6.5.4 Cross site scripting (XSS) attacks 6.5.5 Buffer overflows 6.5.6 Injection flaws (e.g. SQL injection) 6.5.7 Improper error handling 6.5.8 Insecure storage 6.5.9 Denial of service 6.5.10 Insecure configuration management Using the Veracode service to identify and remediate vulnerabilities within an application is an effective method of securing software development. Additionally, using automated dynamic and binary analysis, Veracode looks for the OWASP top ten, the NIST list as well as many others. 6.6 For all web applications Code Review by independent authority or application firewall. By definition, Veracode is an independent third party authority, having shaped the fields of application analysis and code review. Additionally, the PCI DSS Council has stated: Using specialized 3rd party tools that perform thorough analysis of applications to detect vulnerabilities and defects may well meet the intention and objectives of the source code review requirement in PCI Data Security Standard requirement 6.6, if the company using the 3rd party tool also has the internal expertise to understand the findings and make appropriate changes. The PCI Security Standards Council will look to clarify this section of the standard during the next revision, to include that testing of web facing applications can be done via source code review or products that test the application thoroughly for defects and vulnerabilities (when internal staff has the skills to use the tool and fix defects). The PCI Security Standards Council will also consider including prescriptive requirements as to what both the application firewall and application analysis tool or process should test for. 8
Veracode can certainly demonstrate the expertise to conform to this finding; outsourcing of internal requirements is an acceptable response when a certifying entity lacks the resources to effectively comply. VI. Summary and Conclusions With 75 % of all new attacks against software and 90 % of all vulnerabilities in software, the PCI SSC has modified its PCI DSS regulations to put a stronger emphasis on application security. Merchants and service providers that want to prevent any potential fines should prepare themselves well in advance for the more stringent requirements that will become mandatory in June 2008 by evaluating third party application security service providers. About Veracode Veracode is the world s leader for on demand application security testing solutions. Veracode SecurityReview is the industry s first solution to use patented binary code analysis and dynamic web analysis to uniquely assess any application security threats, including vulnerabilities such as cross site scripting (XSS), SQL injection, buffer overflows and malicious code. SecurityReview performs the only complete and independent security audit across any internally developed applications, third party commercial off the shelf software and offshore code without exposing a company s source code. Delivered as an on demand service, Veracode delivers the simplest and most cost effective way to implement security best practices, reduce operational cost and achieve regulatory requirements such as PCI compliance without requiring any hardware, software or training. Veracode has established a position as the market visionary and leader with awards that include recognition as a Gartner Cool Vendor 2008, Info Security Product Guide s Tomorrow s Technology Today Award 2008, Information Security Readers Choice Award 2008, AlwaysOn Northeast's "Top 100 Private Company 2008", NetworkWorld Top 10 Security Company to Watch 2007, and Dark Reading s Top 10 Hot Security Startups 2007. Based in Burlington, Mass., Veracode is backed by.406 Ventures, Atlas Venture and Polaris Venture Partners. For more information, visit www.veracode.com. 9