PCI DSS
PCI DSS

WEB DEVELOPMENT

Application Level PCI DSS

Payment Card Industry Data Security Standard


Locked Credit Card Wikipedia states that "the Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands." [source]

Validation of PCI DSS compliance can be performed either externally or internally (or both). Full compliance is an ever moving target, and can be a very expensive endeavor. There are five primary levels of compliance: first, application level compliance (how secure is your Web site from outside vulnerabilities and intrusion); second, network level compliance (how secure is your LAN/WAN and/or other networks); third, data storage compliance (what policies and procedures do you have in place to store credit card and account information); fourth, physical security compliance (how secure are your servers from physical compromise); fifth, do you maintain a security policy that addresses information security.

Web application level compliance can be, depending on the foundational programming of the application, the easiest level of compliance to obtain. There are a variety of approved external vulnerability scanners available that can search for application level vulnerabilities in your Web site. When vulnerabilities are identified, you will be notified, and can expediciously handle them accordingly.

Depending on your required treatment of credit card information, we can work with you to acquire and maintain application level compliance. While compliance at the application level is only one step toward full compliance, your application is often the front door to network intrusion or other exploited vulnerabilities.

Application Security Scanning
Some banking merchant accounts offer application and network level external vulnerability scanning as an extended service. If this service is not available to you through your merchant bank, we will help you select an Approved Scanning Vendor, as certified by the PCI Security Standards Council.

For the full PCI DSS specification see PCISecurityStandards.org.