Maintain a Vulnerability Management Program
There are two requirements in this third core of
PCI DSS
(
Maintain a Vulnerability Management Program):
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
In this core, it helps to know your vulnerabilities / weaknesses and how you
can fix them before problems will occur.
Use and Regularly Update Anti-Virus Software or Programs
Anti-virus programs should be installed on each computer that uses your mail
server and should be updated consistently. The anti-virus program should
be able to generate logs for you to review to ensure the updates have been
applied and if any potential threats were received. The logs should also
be able to tell you what happened to these threats.
The anti-virus program should also protect your systems of any other malicious
software, including spyware, malware, adware.
Develop and Maintain Secure Systems and Applications
Hackers are consistently attempting to find vulnerabilities in software and
components. Security patches should be installed as soon as possible, but
no later than one month of its release. You should subscribe to a service
that will inform you of any potential vulnerabilities, like the
Multi-State Information Sharing and Analysis
Center (
MS-ISAC)
or
CERT.
Development, testing, and production environments should be completely separate
since the staging environment is sometimes less secure than the production
environment. Personnel duties should be separated as well to limit the
access to cardholder data. When testing, PANs should not be used.
Some
electronic payment gateways will allow you to replicate the transaction
process using
test credit card numbers. When you are ready to go live, all test data
and custom application accounts / usernames / passwords should be removed.
Change of Record
Change control procedures should be regimented and documented. These
procedures should include:
- Documentation of impact
- Management sign-off by appropriate parties
- Testing of operational functionality
- Back-out procedures
Without the proper change controls in place, a breach could potential occur.
This breach could inadvertently happen based on the employee's experience or
background. Background checks should be adequate to prevent
untrustworthy or untrained individuals access to software code.
Secure Coding Guidelines
Software applications and code should be built based on the industry's best
practice of secure coding - consider the guidelines at the
Open Web Application Security Project
(
OWASP)
or
CERT Secure Coding Standards. Data
should be validated before being sent to the web application. Error
handling should also be reviewed. For example, a username and password is
entered into your web application. An error message is produced saying
"incorrect password". This lets the hacker to assume he now has a username
to gain access, and he should focus on a password. Using more generic
error messages like "data could not be verified" would be better.
Comments