Banking Application Security and Impact of PCI DSS Compliance

Banking application security testing

Over 1 Million people across the world become victims of cyber crime daily with crimes occurring at the rate of 12 per second. Alarmed? You have every reason to be.

Since the majority of data breaches relate to debit and credit cards, the PCI DSS standards were set in 2006 to strengthen information security and keep customer data secure.

What is PCI DSS?

PCI DSS – Payment Card Industry Data Security Standard – is the set of security standards administered by PCI Security Standards Council founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. to safeguard debit and credit card data. Its scope covers data security management, security policies and procedures, network architecture and software design.

It suggests a continuing cycle of assessment (identifying vulnerabilities), remedy (fixing vulnerabilities) and reporting for all entities that store, process and transmit card data.

How does PCI DSS impact banking and banking applications?

PCI DSS has set stringent norms that banks need to follow diligently to stay compliant. Primary among them is the need to perform adequate security testing to ensure card holder data is never compromised.

  • Run controlled data breach attempts against the bank network on regular basis to ensure network, end-point and web application security
  • Perform security testing to detect well known vulnerabilities like SQL injection, OS command injection, Cross-site scripting, broken authentication etc.
  • Test for the presence of authorized and un-authorized wireless access points on a quarterly basis
  • Perform penetration testing – white box and black box – on network layer and application layer at least once a year or after a signification change has been made to the application
  • Scope of penetration testing is the card holder environment (CDE) + systems and networks connected to it (unless the bank has a segmented network in which the CDE is isolated from other systems)
  • Penetration testing should aim to identify all possible threats and vulnerabilities and try to exploit them to penetrate the system both at the application and network level
  • Issues identified should be corrected and re-tested until all chances of malicious activity are removed

Most financial organizations find it challenging to meet the rigorous testing requirements of PCI DSS. A Verizon study finds less than one-third of organizations were fully PCI compliant less than a year after validation. Failure to comply can have severe consequences in terms of loss of trust and credibility, not to mention a penalty of up to $50,000 a day. By 2018, Gartner expects more than 50% of the organizations to use third party security firms to help manage their network infrastructure.

Gallop Solutions has a rich repository of security test cases and maintains its own Network Security Test Center of Excellence. We adopt latest industry test practices to deliver cutting-edge security testing services to leading banks across the world. Contact us to know more.

Security Testing, Rich Internet Application, Quality Assurance

The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.