PCI DSS 3.2

Payment Card Data Security

The Data Security Standard from the Payment Card Industry, short PCI DSS, specifies 12 compliance requirements that are essential when credit card information is processed in software. The requirements span from secure system configuration to personnel awareness training. If your company collects, stores, or transmits credit card data, PCI DSS compliance requires that you ensure that your web application is secure against the breach or theft of cardholder data. Non-compliance could lead to loss of credibility, customer trust, and in turn, business.

RIPS helps to assess the following PCI DSS compliance requirements that can be tested with static analysis software:

Supported PCI DSS Requirements

#PCI DSS RequirementHow RIPS Can Demonstrate Compliance
2.2Develop secure configuration standards for all system components.RIPS identifies insecure configuration of PHP settings or sensitive features (2.2.4), and reports insecure connections to other systems.
3.Protect stored cardholder dataRIPS detects weak one-way hash functions (3.4.a) and critical security vulnerabilities that could lead to the exposure of cardholder data or cryptographic keys (3.5).
4.Encrypt transmission of cardholder data across networksRIPS warns about missing certificate validation (4.1.b), insecure cryptography configurations (4.1.e) or algorithms (4.1.f), and missing HTTPS in URLs (4.1.g) for data transmission.
6.Develop and maintain secure systems and applicationsRIPS scans applications for unknown (6.5) and known (6.2) security vulnerabilities according to industry standards (6.3), seamlessly integrates into the SDLC (6.6), scans code changes (6.4), and ranks security risks by severity (6.1).
6.1Establish a process to identify security vulnerabilities and assign a risk rankingRIPS is regularly updated in order to identify new security vulnerabilities on an ongoing basis (6.1.a). All findings are assigned to a risk ranking for efficient resolution management of "high risk" and "critical" vulnerabilities (6.1.b).
6.2Protect all system components and software from known vulnerabilitiesRIPS identifies known security vulnerabilities in PHP's core and if these are exploitable through your PHP code based on a given PHP version.
6.3Develop secure applications in accordance with PCI DSS and industry standards, and incorporate security thoughout the SDLCRIPS supports leading industry standards (6.3.a), can be fully integrated into the software development life cycle (SDLC, 6.3.b), identifies hardcoded passwords (6.3.1) and potential coding vulnerabilities (6.3.2), and tracks PCI DSS requirements (6.3.c)
6.4Follow change control processes and procedures for all changes to system componentsRIPS can rescan all custom code changes to verify PCI DSS compliance for all updates (6.4.5.3) and for new or changed systems (6.4.6). Additionally, RIPS helps to document the impact of change (6.4.5.1) by comparing the analysis results to the previous scan.
6.5Address common coding vulnerabilities in software-development processesRIPS detects all kinds of injection flaws (6.5.1), buffer overflows in PHP's core (6.5.2), weak cryptography (6.5.3), insecure communications (6.5.4), information leakage (6.5.5), high risk vulnerabilities (6.5.6), Cross-Site Scripting (6.5.7), improper access control (6.5.8) and broken session management (6.5.10). Furthermore, developers are constantly trained in secure coding techniques (6.5.a) and learn how to avoid common coding vulnerabilities (6.5.b) by using RIPS.
6.6For public-facing web applications, address new threats and vulnerabilities on an ongoing basisRIPS enables automated security assessment after any code change for the vulnerabilities listed in 6.5, helps to correct all issues, and is able to re-evaluate after the corrections.
8.2Ensure proper user-authentication management on all system componentsRIPS reports security issues that can affect the user-authentication, such as insecure cookies, session fixation vulnerabilities, session ID leakage, or unencrypted transmission of passwords (8.2.1)
10.5Secure audit trails so they cannot be alteredRIPS detects Log Forge vulnerabilities that allow an attacker to alter audit trail files (10.5.2).
11.3Implement a methodology for penetration testingRIPS can be considered a valid method for internal penetration testing of an application (11.3.2). Further, RIPS Technologies offers manual penetration testing in order to find exploitable vulnerabilities from an external attacker's perspective.
12.2Implement a risk-assessment processRIPS provides an overall application risk score as well as a risk level for each vulnerability and can be used to support a risk-assessment methodology.
12.6Implement a formal security awareness programRIPS helps to constantly train developer teams about security threats while these evaluate and patch the reported security issues.
More Standards

Stay current
about our latest features