Payment Card Industry Data Security Standard 3.2.1
PCI DSS imposes various data protection, privacy and security testing requirements on all companies that must adhere to it. Web and mobile application security is an important part of PCI DSS compliance process:
“Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.”
“For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
- Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes.
- Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic.”
“Implement a methodology for penetration testing that includes the following:
- Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
- Includes coverage for the entire CDE perimeter and critical systems
- Includes testing from both inside and outside the network
- Includes testing to validate any segmentation and scope-reduction controls
- Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5”
ImmuniWeb® Products for PCI DSS Compliance
Application security and compliance starts with visibility. You cannot protect what you don't know. Therefore, we recommend starting PCI DSS with an asset discovery and inventory.
ImmuniWeb® Discovery rapidly detects your external web, mobile and cloud assets equipped with asset’s attractiveness and hackability scores. Based on Big Data and our proprietary AI technology, the entire process is rapid and non-intrusive. Once you have a comprehensive and up2date inventory of your assets, you are ready to start a well-informed and risk-based application security testing.
For one-time security testing of your web applications and APIs, we recommend using ImmuniWeb® On-Demand.
For iOS and Android mobile apps and their backend (e.g. API or REST/SOAP web services) we provide all-inclusive testing with ImmuniWeb® MobileSuite.
For most critical applications that directly impact your PCI DSS we offer ImmuniWeb® Continuous for incremental 24/7 testing of any new or updated code.
All ImmuniWeb® products leverage our award-winning Multilayer Application Security Testing and AI technology for intelligent automation and acceleration of Application Security Testing. Driven by human penetration testing, it rapidly detects even the most sophisticated vulnerabilities and comes with a zero false-positive SLA.