Data is everywhere… but so are data thieves!

Any organization that collects, processes, analyzes, or stores data needs to be aware of the risks to this data. And this is especially true for organizations that collect, process, analyze, or store financial data.

Data thieves

The Payment Card Industry Data Security Standard (referred to as PCI DSS) requires organizations to protect the financial data of their consumers. This includes cardholder data (CHD) such as the Primary Account Number (PAN), cardholder name, expiration date, etc. For any organization that accepts and/or processes credit or debit card payments, including merchants, processors, acquirers, issuers, and service providers, PCI DSS compliance is essential. Since its introduction in 2004, PCI DSS (now on version 3.2.1) has become the ubiquitous payment security standard throughout the world, including the USA and Europe.

But why is PCI DSS compliance such an important step in the perennial security journey?

Two words - data breach.

A PCI DSS compliant firm has the industry accepted stamp of approval that confirms it is able to safeguard its customers’ sensitive financial data. Moreover, it also indicates a willingness to make the substantial effort required to achieve and maintain said compliance. This, in turn, signals its reliability and trustworthiness, which can positively affect its financial health and reputation.

Requirements for PCI DSS Compliance

There are 12 primary ‘requirements’ for PCI DSS compliance, broadly classified into six ‘goals’.

Goals PCI DSS Requirements
Build and maintain a secure network and system 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti-virus software and/or programs
6. Develop and maintain secure systems and applications
Implement strong access control measures 7. Restrict access to cardholder data by business “need to know”
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security policy 12. Maintain a policy that addresses information security for all personnel

Together, these goals and requirements clarify what an organization needs to do in order to achieve and maintain PCI DSS 3.2.1 compliance; the goal of being compliant is to ensure a robust level of protection of cardholder data is achieved and maintained at all times.

Of these 12 requirements, requirement #6 pertains to ‘developing and maintaining secure systems and applications’. The goal is to establish a secure software development lifecycle (SDLC) built upon secure coding practices, and then to periodically perform security assessments of said software to ensure newly identified vulnerabilities are proactively quashed before being exploited by malicious actors. And here’s where up-to-date, regular security training for application developers plays a critical role.

The Need for PCI DSS Developer Training

PCI DSS compliant organizations are required to safeguard their customers’ sensitive data. But to do so, they must ensure that their software developers are aware of the requirements, procedures, and goals specified in PCI DSS 3.2.1… how useful is compliance if it is not complied with on an ongoing basis? Ultimately, PCI DSS compliance depends on trained developers who can ensure that card payment transactions are not occurring courtesy of an insecure environment.

Developers should also be aware of common application security threats, including vulnerabilities such as Cross-Site Scripting and SQL injections, and they should know how to resolve them. To this end, developers need to comprehend, and habitually implement, secure coding techniques to reduce the number of vulnerabilities introduced and keep sensitive data safe from compromise. And all of this can only happen with training that is up-to-date, practical, and hands-on.

PCI DSS Secure Coding Training with SecureFlag

SecureFlag enables organizations to meet requirement 6.5 of PCI DSS: “address common coding vulnerabilities in software-development processes”. This includes:

  • Train developers, at least annually, on up-to-date secure coding techniques, including how to avoid common coding vulnerabilities.
  • Develop applications based on secure coding guidelines.

Our PCI DSS Secure Coding Training equips developers with a thorough understanding of the issues, requirements, and testing procedures highlighted in PCI DSS 3.2.1 (6.5). Developers also learn how these issues manifest themselves and what their impact can be.

With our training, developers learn the coding techniques and guidelines that can help them develop secure applications. We thoroughly explain what works and what doesn’t from a practical perspective by drawing on common issues we have encountered during our penetrating testing engagements.

SecureFlag PCI Exercise

Why Choose SecureFlag

There are a multitude of training organizations available in the market today, with some offering excellent quality, and others, not so much. A major differentiator is not really the content itself, but the manner in which the content is consumed by participants. For example, multiple choice quizzes are less impactful than exercises where participants write the actual code, which is corrected in real-time, to achieve the green light. SecureFlag believes in hands-on, practical training, appreciating that since security issues occur in the real-world, they require training that emulates the characteristics of the real-world as closely as possible.

With SecureFlag, developers learn how to identify and remediate the most prevalent security issues through 100% hands-on exercises. Each trainee is provided a real, fully configured Integrated Development Environment (IDE) with coding exercises, where they learn to identify and remediate the security issue. The desktop environment is created on-demand and in just a few seconds. Plus, it can be accessed through a familiar web browser without any additional software installation required. The platform is architected to move away from a passive, lecture-style experience to one that is truly active, hands-on, and instantly effective.

To solve exercises, developers use the same tools and technologies they use in the workplace. This added familiarity means that their learning is not just useful, but also immediately applicable to their everyday role.

For organizations looking for ‘individual’ training courses to align their developers’ skills with the specific PCI DSS requirements, SecureFlag offers unique and specially-designed Learning Paths which include all the PCI DSS focus vulnerabilities (from PCI-DSS v3.2.1, Requirements 6.5.1 to 6.5.10) in addition to memory scraping issues.

  • § 6.5.1: Injection flaws, particularly SQL injection, OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws
  • § 6.5.2: Buffer overflows
  • § 6.5.3: Insecure cryptographic storage
  • § 6.5.4: Insecure communications
  • § 6.5.5: Improper error handling
  • § 6.5.7: Cross-site scripting (XSS)
  • § 6.5.8: Improper access control
  • § 6.5.9: Cross-site request forgery (CSRF)
  • § 6.5.10: Broken authentication and session management

Upon successful completion of a Learning Path, participants gain a certification to prove their knowledge and competence in that skill area. This certification needs to be maintained with refresher exercises during the year to ensure their knowledge remains up-to-date and aligned with the ever-evolving threat landscape.

SecureFlag’s proprietary, analytics-rich learning platform maintains automated records and provides organizations with useful metrics for a comprehensive picture about their developers’ training outcomes in their pursuit of PCI DSS compliance.

Conclusion

Protecting sensitive data and achieving PCI DSS compliance can be a complicated endeavour. The best way to get started involves the right training - training that is comprehensive, up-to-date, and hands-on.

Empower your application developers with the right kind of knowledge for secure coding with SecureFlag’s PCI DSS training and take a huge step forward towards PCI compliance. Our programme can be customised depending on your business requirements or your developers’ knowledge/skill levels.

To know more or to request a demo, contact us at info@secureflag.com.