PCI Requirement 6.5.7 – Cross-Site Scripting (XSS)

by Randy Bartels / February 7, 2023

What is Cross-Site Scripting? Cross-site scripting (XSS) is another type of common coding vulnerability associated with application development. PCI Requirement 6.5.7 requires that you protect all of your organization’s web applications, internal application interfaces, and external application interfaces from XSS. Web applications, the PCI DSS states, have unique security risks as well as relative ease and occurrence of compromise. How does an XSS attack work? XSS is a type of…

business people walking

PCI Requirement 6.5.1 – 6.5.6 Recap

by Randy Bartels / February 7, 2023

Where Do PCI Requirements 6.5.1 - 6.5.6 Apply? We’ve looked at PCI Requirement 6.5.1 through 6.5.6 together and learned about protection from injection flaws, buffer overflows, insecure cryptographic storage, insecure communications, improper error handling, and “high risk” vulnerabilities. But, where does PCI Requirement 6.5.1 through 6.5.6 apply? It’s important to know that PCI Requirements 6.5.1 through 6.5.6 apply to all internal and external applications. PCI Requirements 6.5.1 - 6.5.6 Recap…

PCI Requirement 6.5.5 – Improper Error Handling

by Randy Bartels / February 7, 2023

What is Improper Error Handling? Improper error handling is one of the common coding vulnerabilities outlined in PCI Requirement 6.5. PCI Requirement 6.5.5 states that improper error handling must be addressed in your coding techniques. PCI Requirement 6.5.5 alerts organizations that improper error handling introduces many security issues to your website because it can unintentionally leak information to an end-user or malicious individual. For example, a 500 Internal Sever Error…

PCI Requirement 6.5.6 – All “High Risk” Vulnerabilities

by Randy Bartels / February 7, 2023

What are “High Risk” Vulnerabilities? PCI Requirement 6.1 taught us how to establish a process for identifying security vulnerabilities. The PCI DSS explained that risk ranking allows organizations to identify, prioritize, and address the highest risk items and reduce the likelihood that vulnerabilities will be exploited. Risk ranking is a vital element of PCI Requirement 6.5.6, which states that organizations must have a process in place to determine how to…

PCI Requirement 6.5.4 – Insecure Communications

by Randy Bartels / February 7, 2023

What are Insecure Communications? PCI Requirement 6.5.4 requires that you protect your applications from insecure communications. To understand PCI Requirement 6.5.4, let’s look back at PCI Requirement 4. PCI Requirement 4 and its sub-requirements outline how to use strong cryptography and security protocols to protect cardholder data, which is what PCI Requirement 6.5.4 calls for. The PCI DSS states, “Applications that fail to adequately encrypt network traffic using strong cryptography…