PCI DSS Compliance with Parasoft

Try Parasoft

PCI-DSS

What is PCI DSS?

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS was created to increase the security of credit, debit, and cash card transactions, and protect cardholders against misuse of their personal information. It is an actionable coding framework required for developing a robust payment card data security process, that includes prevention, detection, and appropriate reaction to security incidents. PCI DSS consists of 12 requirements that are essential for the safe use of credit card information, and requirement 6 focuses on addressing common coding vulnerabilities in software-development processes.

Enforcing PCI DSS Compliance with Static Analysis

Parasoft's static analysis solutions provide more support for Requirement 6 than any other source code analysis tool, helping teams achieve DevSecOps in compliance with PCI DSS by enforcing security from the very start of development, with a comprehensive set of static analysis checkers that help find security weaknesses as well as enforce secure software engineering standards to harden your application.

How Parasoft Helps Achieve PCI DSS Compliance

Parasoft users can leverage Parasoft's static code analysis products for Java and .NET to reduce the cost of achieving PCI DSS compliance and save time and effort.

Out-of-the-Box Static Analysis Configurations for PCI DSS

Unlike other static analysis vendors, Parasoft provides out-of-the-box policy/test configurations that are fully configurable and can be executed from within the IDE and via the CI/CD process to help quickly locate vulnerabilities earlier in the software development process.

PCI DSS Guidance and Training

Parasoft goes beyond other static analysis tools in support of PCI DSS compliance. Parasoft users get guidance, right in the developer's IDE, about how to fix the vulnerabilities, with supported documentation and training material.

PCI DSS Compliance Status

For reporting, auditing, and continuous feedback to the whole team, Parasoft's unparalleled realtime feedback gives users a continuous view of PCI DSS compliance status, by providing interactive compliance dashboards, widgets, and reports that have the PCI DSS risk assessment framework implemented right within the dashboard itself.

PCI DSS consists of 12 requirements that are essential for the safe use of credit card information, all designed to meet certain security goals. Parasoft supports compliance in meeting Requirement 6.

Goals PCI DSS Requirements

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameter

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for employees and contractors

Parasoft supports Requirement 6, which is broken down into the following sections:

6.1

Establish a process to identify security vulnerabilities and assign a risk ranking

6.2

Protect all system components and software from known vulnerabilities

6.3

Develop secure applications in accordance with PCI DSS and industry standards, and incorporate security throughout the SDLC

6.4

Follow change control processes and procedures for all changes to system components

6.5

Address common coding vulnerabilities in software-development processes

6.6

For public-facing web applications, address new threats and vulnerabilities on an ongoing basis

Within PCI DSS Requirement 6, 6.5 is particularly critical as it states the requirement to "train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities," and "develop applications based on secure coding guidelines."

The PCI DSS requirement is further broken down into these sub-sections of 6.5, which Parasoft supports in entirety:

  • 6.5.1 Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws
  • 6.5.2 Buffer overflows
  • 6.5.3 Insecure cryptographic storage
  • 6.5.4 Insecure communications
  • 6.5.5 Improper error handling
  • 6.5.6 All “high risk” vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1).
  • 6.5.7 Cross-site scripting (XSS)
  • 6.5.8 Improper access control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions).
  • 6.5.9 Cross-site request forgery (CSRF)
  • 6.5.10 Broken authentication and session management
PCI-DSS

Want to learn more?

Parasoft integrates with a wide variety of software, tools, and frameworks,
so you can easily adopt and scale within your existing development environment.