Any application which needs to take payments online needs to be reviewed for its compliance under Payment Card Industry Data Security Standard (PCI DSS). Security requirements vary depending on the type of information processed, what data (if any) is stored by the application, and the yearly dollar amount payments to be processed.
Document all cardholder data flows and identify all systems that store, process or transmit cardholder data prior to beginning any assessment activities.
An inventory of all systems that store, process, and/or transmit cardholder data must be maintained. The following information at a minimum should be maintained in the inventory:
- System name
- Cardholder data stored (list fields)
- Reason for storage
- Retention period
- Protection mechanism (e.g., hashing, encryption, or truncation)
The Core PCI Requirements (as per: http://pcisecuritystandards.org)
- Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Implement Strong Access Control Measures
- Restrict acces to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain an Information Security Policy
- Maintain a policy that addresses information security for all personnel
Along with the previously documented development guidelines there are a few common mistakes made when developing applications which accept payments which run afoul of these guidelines.
Any storage of credit card avoided unless it is core to the business functionality. Third-party services for handling tokenization of the card information should be used. These services are typically cheaper than the cost of an annual audit required to stay compliant without them.
Your application is only as secure as its weakest link. Using the default password for services gives low effort entry to potential attackers.
Insecure websites are insecure.
It is hard to detect problems or intrusions without some kind of monitoring in place.
This should go without saying but any application which deals with payment information needs to be served over SSL.
Bugs and tracebacks happen but when they contain sensitive information it is a much bigger problem. In an ideal world credit card information would never pass through the server, even in memory, through the use of third-party providers and appropriate tokenization.
Software must be kept up to date with the latest security patches. That includes the application code and its dependencies along with the operating system and related services running on the server.