About the Client
The client is a provider of financial electronic commerce services, products. The client’s solutions power electronic billing and payment, while automating financial transactions and streamlining regulatory reporting. The client’s solution portfolio includes a membership software solution for the health and fitness club industry.
The client needed to get its membership solution certified for PA-DSS Compliance in accordance with regulations from Credit Card merchants. The PCI Data Security Standard (DSS) is a set of comprehensive requirements for enhancing payment account data security, and was developed by the founding payment brands of the PCI Security Standards Council (including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa International) to help facilitate the adoption of consistent data security measures.
Making web applications PA-DSS compliant includes checking the applications against OWASP top 10 vulnerabilities. These are a set of architectural and usage scenarios considerations: web based multi-tier, smart client and thick client meant for internal and public use. This includes use of web services, complex third party integrations with multiple payment gateways.
Need help with a Certifications & Compliance for Payment Processing project?Contact Silicus Sales
The project was kick-started with a training session on OWASP vulnerabilities, PCI & PA-DSS requirements and secure coding practices for all the Microsoft.NET developers who would be working on the project. The online training was conducted by IBM and subsequently PCI DSS & PA-DSS requirements overview training by Control Case. The QA team also went through a special training of the IBM Appscan tool. This tool provides web applications security vulnerability scanning, testing and reporting.
After the training, the first task the developers undertook was to develop a Common Security Framework. This was essentially a generic security framework/accelerator in .NET to address common security concerns like:
- XSS (input and output sanitization/encoding)
- Password policy enforcement
- Sensitive data encryption (e.g. Connection strings, username, passwords etc.)
- Cross site request forgery
- Event based logging
With the framework in place, the team set about re-engineering the software application to adhere to PA-DSS requirements. The changes included:
- Specific Security Implementations – apart from security vulnerabilities that were handled through the common security framework, there were specific concerns that were handled locally: parameterization of dynamic SQL’s to prevent from SQL injections, exception handling to prevent sensitive information leakage
- Restricted access to Web URL / insecure direct object references – global implementation to satisfy query string encryption, web request authentication using HTTP handlers and Front Controller Pattern
- Securing Web Services – implementing web service authentication using SOAP headers over HTTPS, web methods Parameter validations of type and range using regex.
- Protecting Card Holder Data – storing credit card data in tokenized format, masked display at UI level and secure transmission over network using HTTPS
Parts of the software re-engineering effort were avoided through the use of pre-built .NET assemblies that make use of industry standards like:
- MD5 hashing
- Triple DES encryption
- Microsoft AntiXSS/Cryptography libraries
The team engaged in rigorous Code Review sessions, including implementation of checklist based comprehensive, effective security code review methodology.
During the development, the QA team was involved in extensive testing using security test cases, AppScan tool (web applications), SoapUI tool (web services).
.NET framework 1.1, 2.0
SQL Server 2005
IIS Web Server
Visual Studio 2003/2005, AppScan, SoapUI, Source Safe offsite
Software Engineering Risk Mitigation
Failure to get the application ready for PA-DSS compliance within the deadline would have resulted in loss of business. A strong set of software engineering practices, processes ensured that risks, challenges were understood upfront and addressed without adversely impacting the project timelines
To meet the deadline, Silicus responded by quickly ramping up a team of 10 individuals ranging from Architects, developers, QA engineers and PCI experts to complete the exercise in 6.5 months and within the stipulated deadline
PCI Compliance expertise delivered from a low cost location
PCI compliance software re-engineering services are fairly niche, with only PCI certified companies offering these services. By partnering with an offshore company, the client was able to gain access to niche software engineering expertise at a fraction of the cost