The PCI Security Standards Council, an US-based forum for payment card security standards, has published Terminal Software Security Best Practices.
Separately, the deadline for retirement of PCI DSS 2.0 and mandatory validation under PCI DSS 3.0 is January 1, 2015.
The document gives details of the secure development of software designed to run on point-of-interaction devices. Point-of-interaction (POI) devices continue to be highly targeted by criminals, the council admits. PCI PIN Transaction Security (PTS) requirements address software code required to meet parameters defined in the PCI PTS POI Security Requirements. The best practices guide is intended to address other software that exists on the POI device, including payment and non-payment applications, and reinforces the importance of maintaining a layered approach to security. As fraud continues to evolve, it is important that efforts are made to ensure that all code within the payment ecosystems is secure, the council says.
This new guidance is for POI device vendors that write or implement applications within a POI device, to understand the potential threats, and employ appropriate processes throughout the development life cycle. Standard secure coding practices include:
Security awareness training that supports secure software development:
• Those involved in the development process (including software developers and peer reviewers), have important roles to play in developing software to ensure secure coding practices are implemented and address threats. Those roles need to be defined before development begins and those individuals need to be trained and understand the secure software development.
Secure software development lifecycle:
• Organisations need to have a software security roadmap defined before development begins that will address known threats. The software needs to be mapped and documented, and rules and processes defined so that security is implemented as part of the development process and not as an after-thought.
Device level testing:
It is imperative to understand how the application will work when used with the hardware, firmware, and other applications that it is intended for use with. While simulators and unit testing are essential, testing the device with the complete solution should be a priority.
Internal process reviews:
The threat environment is constantly evolving which is why organizations need to stay current on the latest threats and changes to ensure the procedures in place are still sufficient and are actually being followed.
The Terminal Software Security Best Practices information supplement is for download on the PCI SSC website: pcisecuritystandards.org.
PCI SSC Chief Technology Officer, Troy Leach said: “Criminals are looking at every aspect of a payment transaction to find ways for data exfiltration. While consumers and merchants alike benefit from additional features, complexity and increasing dependency on third-party applications can create new opportunities for exploit which is why due diligence is so vital in the development of software that terminals rely upon. This paper highlights important best practices for software coding in this unique environment.”
About the PCI Security Standards Council
The PCI Security Standards Council manages the Payment Card Industry Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the payment card brands American Express, Discover, JCB International, MasterCard and Visa Inc, the council has more than 700 Participating Organizations representing merchants, banks, processors and vendors. Visit: pcisecuritystandards.org.
