PCI DSS 3.2

Payment Card Data Security

The Data Security Standard from the Payment Card Industry, short PCI DSS, specifies 12 compliance requirements that are essential when credit card information is processed in software. The requirements span from secure system configuration to personnel awareness training. If your company collects, stores, or transmits credit card data, PCI DSS compliance requires that you ensure that your web application is secure against the breach or theft of cardholder data. Non-compliance could lead to loss of credibility, customer trust, and in turn, business.

RIPS helps to assess the following PCI DSS compliance requirements that can be tested with static analysis software.

# PCI DSS Requirement How RIPS Can Demonstrate Compliance
2.2 Develop secure configuration standards for all system components. RIPS identifies insecure configuration of PHP settings or sensitive features (2.2.4), and reports insecure connections to other systems.
3. Protect stored cardholder data RIPS detects weak one-way hash functions (3.4.a) and critical security vulnerabilities that could lead to the exposure of cardholder data or cryptographic keys (3.5).
4. Encrypt transmission of cardholder data across networks RIPS warns about missing certificate validation (4.1.b), insecure cryptography configurations (4.1.e) or algorithms (4.1.f), and missing HTTPS in URLs (4.1.g) for data transmission.
6. Develop and maintain secure systems and applications RIPS scans applications for unknown (6.5) and known (6.2) security vulnerabilities according to industry standards (6.3), seamlessly integrates into the SDLC (6.6), scans code changes (6.4), and ranks security risks by severity (6.1).
6.1 Establish a process to identify security vulnerabilities and assign a risk ranking RIPS is regularly updated in order to identify new security vulnerabilities on an ongoing basis (6.1.a). All findings are assigned to a risk ranking for efficient resolution management of "high risk" and "critical" vulnerabilities (6.1.b).
6.2 Protect all system components and software from known vulnerabilities RIPS identifies known security vulnerabilities in PHP's core and checks if these are exploitable through your PHP code based on a given PHP version.
6.3 Develop secure applications in accordance with PCI DSS and industry standards, and incorporate security thoughout the SDLC RIPS supports leading industry standards (6.3.a), can be fully integrated into the software development life cycle (SDLC, 6.3.b), identifies hardcoded passwords (6.3.1) and potential coding vulnerabilities (6.3.2), and tracks PCI DSS requirements (6.3.c)
6.4 Follow change control processes and procedures for all changes to system components RIPS can rescan all custom code changes to verify PCI DSS compliance for all updates (6.4.5.3) and for new or changed systems (6.4.6). Additionally, RIPS helps to document the impact of change (6.4.5.1) by comparing the analysis results to the previous scan.
6.5 Address common coding vulnerabilities in software-development processes RIPS detects all kinds of injection flaws (6.5.1), buffer overflows in PHP's core (6.5.2), weak cryptography (6.5.3), insecure communications (6.5.4), information leakage (6.5.5), high risk vulnerabilities (6.5.6), Cross-Site Scripting (6.5.7), improper access control (6.5.8), Cross-Site Request Forgery (6.5.9), and broken session management (6.5.10). Furthermore, developers are constantly trained in secure coding techniques (6.5.a) and learn how to avoid common coding vulnerabilities (6.5.b) by using RIPS.
6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis RIPS enables automated security assessment after any code change for the vulnerabilities listed in 6.5, helps to correct all issues, and is able to re-evaluate after the corrections.
8.2 Ensure proper user-authentication management on all system components RIPS reports security issues that can affect the user-authentication, such as insecure cookies, session fixation vulnerabilities, session ID leakage, or unencrypted transmission of passwords (8.2.1)
10.5 Secure audit trails so they cannot be altered RIPS detects Log Forge vulnerabilities that allow an attacker to alter audit trail files (10.5.2).
11.3 Implement a methodology for penetration testing RIPS can be considered a valid method for internal penetration testing of an application (11.3.2).
12.2 Implement a risk-assessment process RIPS provides an overall application risk score as well as a risk level for each vulnerability and can be used to support a risk-assessment methodology.
12.6 Implement a formal security awareness program RIPS helps to constantly train developer teams about security threats while these evaluate and patch the reported security issues.