The Payment Card Industry Data Security Standard (PCI DSS) Program is a proprietary data security compliance standard developed to enhance cardholder customer information. PCI DSS applies to organizations involved in the processing of payment cards - merchants, processors, acquirers, issuers, service providers, and other entities that process, store or transmit cardholder information.

Each of the five global payment brands - American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. - incorporate the PCI DSS as the technical requirements of each of their data security compliance programs.

The GamaSec Web Vulnerability Scanner is designed to meet PCI Regulatory Requirements. PCI DSS sets out 12 core requirements for protecting payment account data security, five of which are focused on data audit. Section 6.5 relates to the development of applications based on secure coding guidelines to prevent common coding vulnerabilities in the coding process. Section 6.5 is listed below:

6.5 Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes, to include the following:

  • 6.5.1 Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.
  • 6.5.2 Buffer overflow
  • 6.5.3 Insecure cryptographic storage
  • 6.5.4 Insecure communications
  • 6.5.5 Improper error handling
  • 6.5.6 All ―High‖ vulnerabilities identified in the vulnerability identification process
  • 6.5.7 Cross-site scripting (XSS)
  • 6.5.8 Improper Access Control (such as insecure direct object references, failure to restrict URL access, and directory traversal)
  • 6.5.9 Cross-site request forgery (CSRF)