PCI-DSS Compliance for Front-End Development
Front-end developers have a responsibility to maintain the standards set forth by the Payment Card Industry Security Standards Council. Use this guide to learn how front-end developers can maintain compliance with PCI-DSS standards.
Front-End Development and Payment Gateways
Front-end application security is equally as important as protecting your back-end server side code when it relates to credit card information or any other sensitive information it may use to collect user input regardless if you use a hosted iframe from your payment provider or not.
Because the front-end is accessible via a browser, at the minimum you’ll want to protect the information being viewed or entered within the web application using a trusted SSL Certificate and recommend that end-users upgrade to the latest version of your supported browsers.
You’ll also want to use security best practices such as Input Validation to ensure that users are not able to input invalid data or inject SQL commands that can execute an attack on the application. Additionally, it is highly recommended for web application providers to periodically perform penetration tests to help identify vulnerabilities and address them as soon as possible. Web application firewalls are also available to add an additional layer of security to help protect the web application against DDOS attacks, etc.
Requirements for PCI Compliance in Front-End Development
Build and Maintain a Secure Network and Systems
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
Front end developers must pay special attention to particular PCI requirements when building systems that will be compliant with PCI validation. This will provide the end users of the system with a secure payment solution and reduce the depth and complexity of PCI compliance. Please see below for a breakdown of those specific requirements.
Requirement: Protect stored cardholder data
Developers should develop systems that do not store cardholder data. If storage of cardholder data is necessary, it should be limited to what is absolutely necessary to meet business, legal or regulatory needs.
If the system stores the 16-digit PAN (Primary Account Number), it must be rendered unreadable. If the system displays the PAN, it can only display a maximum of the first six and last four digits.
Payment solutions should never store Sensitive Authentication Data (SAD). SAD is typically defined as data on the back of the card (Track Data, CVV code, PIN/PIN Block) as well as EMV chip data.
Requirement: Encrypt transmission of cardholder data across open, public networks
Developers of payment solutions that handle cardholder data must ensure that these systems encrypt transmission of cardholder data across public networks, especially the public internet.
Cybercriminals are looking to compromise cardholder data by intercepting transmissions of public networks. Encryption of this data is required to render the data unreadable. Developers need to make sure that the solution uses strong cryptography and security protocols such as SSL/TLS, SSH or IPSec to protect cardholder data during transmission.
Developers should also ensure that they include implementation guides/instructions to make sure that end users secure wireless networks at the merchant location.
Requirement: Develop and maintain secure systems and applications
Developers of payment applications need to pay special attention to the requirement to develop and maintain secure systems and applications.
This requirement states that developers are responsible for identifying security vulnerabilities that could impact their environment. Developers must use reputable outside sources and rank security vulnerabilities as “high, medium, or low.”
Developers are responsible for ensuring that systems, components and software are protected from known vulnerabilities by installing vendor-supplied security patches and installing critical security patches within one month of release.
All internal and external software applications must be developed in accordance with the PCI-DSS. This includes secure authentication procedures, logging capabilities, and requirements to incorporate information security throughout the software development lifecycle.
Developers must also be sure to remove any development or test accounts, user IDs, and passwords prior to bringing a solution to market for end users. There must be full separation of duties between the development and production environments, meaning no live PANs for development and removal of any test data for production.
Finally, developers are required to train personnel at least annually on up to date coding techniques and how to avoid common coding vulnerabilities. Some examples of these vulnerabilities include: Buffer Overflows, Cross Site Scripting, and Cross-site request forgery. For public-facing web applications, you must address new threats and vulnerabilities on an ongoing basis, using application vulnerability assessment tools (Web Application Penetration testing), and/or setting up an automated solution such as a Web Application Firewall to monitor traffic.
Front-end developers should take care to make sure they are building secure applications that meet the PCI-DSS standards required by the Payment Card Industry Security Standards Council. For more on PCI compliance, visit the PCI Security Council website.