Payment Application Data Security Standard 3.2
“Payment application code is reviewed prior to release to customers after any significant change, to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following:
- Code changes are reviewed by individuals other than the originating code author, and by individuals who are knowledgeable in code-review techniques and secure coding practices.
- Code reviews ensure code is developed according to secure coding guidelines. (See PA-DSS Requirement 5.2.)
“Develop all payment applications to prevent common coding vulnerabilities in software-development processes. Verify that payment applications are not vulnerable to common coding vulnerabilities by performing manual or automated penetration testing.”
“Software vendors must establish a process to identify and manage vulnerabilities. Any underlying software or systems that are provided with or required by the payment application (for example, web servers, third-party libraries and programs) must be included in this process.”
“Identify new security vulnerabilities using reputable sources for obtaining security vulnerability information.”
“Assign a risk ranking to all identified vulnerabilities, including vulnerabilities involving any underlying software or systems provided with or required by the payment application.”
“Test payment applications and updates for the presence of vulnerabilities prior to release.”
ImmuniWeb® Products for PA DSS Compliance
Application security and compliance starts with visibility. You cannot protect what you don't know. Therefore, we recommend starting PA DSS with an asset discovery and inventory.
ImmuniWeb® Discovery rapidly detects your external web, mobile and cloud assets equipped with asset’s attractiveness and hackability scores. Based on Big Data and our proprietary AI technology, the entire process is rapid and non-intrusive. Once you have a comprehensive and up2date inventory of your assets, you are ready to start a well-informed and risk-based application security testing.
For one-time security testing of you web applications and APIs, we recommend using ImmuniWeb® On-Demand. For iOS and Android mobile apps and their backend (e.g. API or REST/SOAP web services) we provide all-inclusive testing with ImmuniWeb® MobileSuite.
For most critical applications that directly impact your PA DSS we offer ImmuniWeb® Continuous for incremental 24/7 testing of any new or updated code.
All ImmuniWeb® products leverage our award-winning Multilayer Application Security Testing and AI technology for intelligent automation and acceleration of Application Security Testing. Driven by human penetration testing, it rapidly detects even the most sophisticated vulnerabilities and comes with a zero false-positives SLA.