Data is everywhere… but so are data thieves!
Any organisation that collects, processes, analyses, or stores data needs to be aware of the risks to this data. And this is especially true for organisations that collect, process, analyse, or store financial data.
The Payment Card Industry Data Security Standard (referred to as PCI DSS) requires organisations to protect the financial data of their consumers. This includes cardholder data (CHD) such as the Primary Account Number (PAN), cardholder name, expiration date, etc. For any organisation that accepts and/or processes credit or debit card payments, including merchants, processors, acquirers, issuers, and service providers, PCI DSS compliance is essential. Since its introduction in 2004, PCI DSS (now on version 3.2.1) has become the ubiquitous payment security standard throughout the world, including the USA and Europe.
But why is PCI DSS compliance such an important step in the perennial security journey?
Two words - data breach.
A PCI DSS compliant firm has the industry-accepted stamp of approval that confirms it is able to safeguard its customers’ sensitive financial data. Moreover, it also indicates a willingness to make the substantial effort required to achieve and maintain said compliance. This, in turn, signals its reliability and trustworthiness, which can positively affect its financial health and reputation.
There are 12 primary ‘requirements’ for PCI DSS compliance, broadly classified into six ‘goals’.
|Goals||PCI DSS Requirements|
|Build and maintain a secure network and system||1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
|Protect cardholder data||3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
|Maintain a Vulnerability Management Program||5. Protect all systems against malware and regularly update anti-virus software and/or programs
6. Develop and maintain secure systems and applications
|Implement strong access control measures||7. Restrict access to cardholder data by business “need to know”
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
|Regularly monitor and test networks||10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
|Maintain an information security policy||12. Maintain a policy that addresses information security for all personnel|
Together, these goals and requirements clarify what an organisation needs to do in order to achieve and maintain PCI DSS 3.2.1 compliance; the goal of being compliant is to ensure a robust level of protection of cardholder data is achieved and maintained at all times.
Of these 12 requirements, requirement #6 pertains to ‘developing and maintaining secure systems and applications’. The goal is to establish a secure software development lifecycle (SDLC) built upon secure coding practices and then to periodically perform security assessments of said software to ensure newly identified vulnerabilities are proactively quashed before being exploited by malicious actors. And here’s where up-to-date, regular security training for application developers plays a critical role.
PCI DSS compliant organisations are required to safeguard their customers’ sensitive data. But to do so, they must ensure that their software developers are aware of the requirements, procedures, and goals specified in PCI DSS 3.2.1… how useful is compliance if it is not complied with on an ongoing basis? Ultimately, PCI DSS compliance depends on trained developers who can ensure that card payment transactions are not occurring courtesy of an insecure environment.
Developers should also be aware of common application security threats, including vulnerabilities such as Cross-Site Scripting and SQL injections, and they should know how to resolve them. To this end, developers need to comprehend and habitually implement secure coding techniques to reduce the number of vulnerabilities introduced and keep sensitive data safe from compromise. And all of this can only happen with training that is up-to-date, practical, and hands-on.
SecureFlag enables organisations to meet requirement 6.5 of PCI DSS: “address common coding vulnerabilities in software-development processes”. This includes:
Our PCI DSS Secure Coding Training equips developers with a thorough understanding of the issues, requirements, and testing procedures highlighted in PCI DSS 3.2.1 (6.5). Developers also learn how these issues manifest themselves and what their impact can be.
With our training, developers learn the coding techniques and guidelines that can help them develop secure applications. We thoroughly explain what works and what doesn’t from a practical perspective by drawing on common issues we have encountered during our penetrating testing engagements.
There are a multitude of training organisations available in the market today, with some offering excellent quality and others not so much. A major differentiator is not really the content itself but the manner in which the content is consumed by participants. For example, multiple choice quizzes are less impactful than exercises where participants write the actual code, which is corrected in real-time, to achieve the green light. SecureFlag believes in hands-on, practical training, appreciating that since security issues occur in the real world, they require training that emulates the characteristics of the real world as closely as possible.
With SecureFlag, developers learn how to identify and remediate the most prevalent security issues through 100% hands-on exercises. Each trainee is provided with a real, fully configured Integrated Development Environment (IDE) with coding exercises, where they learn to identify and remediate the security issue. The desktop environment is created on-demand and in just a few seconds. Plus, it can be accessed through a familiar web browser without any additional software installation required. The platform is architected to move away from a passive, lecture-style experience to one that is truly active, hands-on, and instantly effective.
To solve exercises, developers use the same tools and technologies they use in the workplace. This added familiarity means that their learning is not just useful but also immediately applicable to their everyday role.
For organisations looking for ‘individual’ training courses to align their developers’ skills with the specific PCI DSS requirements, SecureFlag offers unique and specially-designed Learning Paths which include all the PCI DSS focus vulnerabilities (from PCI-DSS v3.2.1, Requirements 6.5.1 to 6.5.10) in addition to memory scraping issues.
Upon successful completion of a Learning Path, participants gain a certification to prove their knowledge and competence in that skill area. This certification needs to be maintained with refresher exercises during the year to ensure their knowledge remains up-to-date and aligned with the ever-evolving threat landscape.
SecureFlag’s proprietary, analytics-rich learning platform maintains automated records and provides organisations with useful metrics for a comprehensive picture of their developers’ training outcomes in their pursuit of PCI DSS compliance.
Protecting sensitive data and achieving PCI DSS compliance can be a complicated endeavour. The best way to get started involves the right training - training that is comprehensive, up-to-date, and hands-on.
Empower your application developers with the right kind of knowledge for secure coding with SecureFlag’s PCI DSS training and take a huge step forward towards PCI compliance. Our programme can be customised depending on your business requirements or your developers’ knowledge/skill levels.
To know more or to request a demo, contact us at firstname.lastname@example.org.