Search Blog for

Web Application Security: PCI Certification and SOC 2 Compliance

Online data security is a big concern for all organizations, including those that outsource key business operations to third-party clients (such as Software-as-a-Service cloud-computing providers). Mishandled data, especially with application and network security providers, can reveal vulnerabilities that lead to data theft, extortion and malware malfeasance.

As mentioned in previous posts, there are many options for you to secure your site and protect your customers. Incident response and vulnerability management, intrusion prevention and penetration (pen) testing are important parts of any security solution. As are API and IoT security.

As you evaluate web application security vendors, find out what certifications they provide and which compliance standards they meet. In this post, we’ll talk about two: PCI Certification and SOC 2 Compliance.

PCI Certification

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards established jointly by VISA, MasterCard, Discover Financial Services, JCB International and American Express. The compliance plan aims to secure credit and debit card transactions against possible data theft and fraud.

PCI certification is a requirement for all businesses that process credit or debit card transactions. It’s also considered to be the best way to safeguard sensitive data, thereby helping businesses build long-lasting and trusting relationships with customers.

Being certified ensures that a set of requirements is in place to ensure data security. For example, businesses must restrict access to cardholder information and monitor access to network resources. The PCI DSS certification makes sure common best practices are followed, such as:

  • Installation of firewalls
  • Encryption of data transmissions
  • Use of anti-virus software

PCI-compliant security services provide businesses data security standards, and lets customers know that their personal data is protected. Customers expect PCI compliance for secure transactions.

PCI compliance is divided into four levels based on the annual number of credit or debit card transactions a business processes. The classification level determines what an enterprise needs to do to remain compliant.

Level 1: Applies to merchants processing more than six million real-world credit or debit card transactions per year. They must undergo an internal audit once a year and must perform a PCI scan by an Approved Scanning Vendor once a quarter.

Level 2: Applies to merchants processing between one and six million real-world credit or debit card transactions annually. They’re required to complete an assessment once a year using a Self-Assessment Questionnaire. In addition a quarterly PCI scan may be required.

Level 3: Applies to merchants processing between 20,000 and one million e-commerce transactions per year. A yearly assessment using the relevant SAQ must be completed, and a quarterly PCI scan may also be required.

Level 4: Applies to merchants processing fewer than 20,000 e-commerce transactions annually, or those that process up to one million real-world transactions. An assessment using the relevant SAQ must be completed annually, and a quarterly PCI scan may be required.

Along with these compliance levels, the PCI SSC has identified 12 additional requirements for handling cardholder data and maintaining a secure network. All are necessary for an enterprise to become compliant. They are:

Secure network

1) A firewall configuration must be installed and maintained

2) System passwords must be original

Secure cardholder data

3) Stored cardholder data must be protected

4) Transmissions of cardholder data across public networks must be encrypted

Vulnerability management

5) Anti-virus software must be used and regularly updated

6) Secure systems and applications must be developed and maintained

Access control

7) Cardholder data access must be restricted to a business need-to-know basis

8) Every person with computer access must be assigned a unique ID

9) Physical access to cardholder data must be restricted

Network monitoring and testing

10) Access to cardholder data and network resources must be tracked and monitored

11) Security systems and processes must be tested regularly

Information security

12) A policy dealing with information security must be maintained

While the basic rules for compliance have remained constant throughout the years, new requirements are periodically added to keep up with changes in the online threat landscape.

Back in 2008, PCI DSS established a requirement to secure data against some of the most common web application attack vectors (such as SQL injections, RFIs and other malicious vectors). Organizations can do this in one of two ways: through rigorous application code reviews or by implementing a web application firewall that filters malicious attacks.

SOC 2 Compliance

In addition to PCI certification, SOC 2 is an auditing procedure that ensures your service provider does a good job of managing your data. For data-driven businesses, it is a minimal requirement when considering a SaaS provider.

SOC 2 was developed by the American Institute of CPAs and defines criteria for managing customer data based on five “trust service principles”:

Security – including network/application firewalls, two-factor authentication and intrusion detection.

Availability – defined as performance monitoring, disaster recovery and security incident handling.

Processing integrity – quality assurance and processing monitoring.

Confidentiality – including encryption, access controls and network/application firewalls.

Privacy – including access control, two-factor authentication and encryption.

Unlike the specific requirements of PCI DSS, SOC 2 reports are tailored to each organization. In line with specific business practices, each designs its own controls to comply with one or more of the trust principles above.

SOC 2 compliance isn’t a requirement for SaaS and cloud computing vendors. However, its role in securing your data cannot be overstated.