Veracode for PCI Compliance

Veracode helps organizations meet the application security and code review requirements of the PCI standard. As an expert in application security, Veracode is in a unique position to provide an independent assessment, standards-based rating and secure coding training to ensure your applications comply with PCI DSS and PCI PA-DSS. Unlike costly and labor intensive manual code analysis, Veracode’s cloud-based service allows you to automate application reviews and receive results within 24-72 hours. This revolutionary approach means you can simplify your compliance efforts by using a single provider for all your PCI application security and secure development training needs.

PCI Compliance for Merchants and Service Providers

According to research by Gartner and Symantec, close to 90 percent of software attacks are aimed at the application layer. Thus, it comes as no surprise that the PCI DSS has made application security one of its cornerstones. Requirements 6.3.7, 6.5 and 6.6 identify specific steps in secure application development and deployment which organizations must meet in order to achieve PCI compliance. PCI DSS requires independent code reviews to identify software vulnerabilities and secure coding training to ensure developers know how to write secure software.

PCI Compliance for Payment Software Vendors

Visa Payment Application Best Practices (PABP) standard applies to software vendors who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement. PCI has adopted Visa’s PABP and released a new standard called the Payment Application Data Security Standard (PA-DSS). Payment Software Vendors will need to certify their products to PA-DSS and demonstrate that their application code has undergone vulnerability analysis per the requirements specified in section 5. Visa mandates that only certified payment software can be used for new deployments.

 

Business Requirement Veracode Solution

Require clear and concise analysis of vulnerabilities that provide a measurable risk rating against a known standard

Standards-Based Ratings - Veracode combines MITRE’s Common Weakness Enumeration (CWE) for classification of software weaknesses and FIRST’s Common Vulnerability Scoring System (CVSS) which provides a practical way to assess application security and risk

Custom application code must be reviewed by an organization that specializes in application security

Independent & Trusted Review – Veracode meets the PCI definition of an organization specializing in application security. The Veracode team has deep security and industry expertise from industry-leading security and services companies such as @stake, Symantec, Guardent, VeriSign and Salesforce.com.

Develop a process for periodic custom application code review on a consistent basis and re-evaluate application code after corrections or changes are made

Automated Scanning - Allows organizations to schedule application and remediation reviews on-line without the need to re-engage consultants who manually review lines of code

Simplify application code review processes across multiple applications and dispersed development teams

Deploy Rapidly & Globally - Veracode provides a single web portal for teams to centrally collaborate on disparate projects with executive rollup dashboards to gauge overall status

Meet PCI requirements for outsourced or 3rd party custom applications where source code is not available

Integrated gray-box testing - Veracode is the only vendor that integrates both dynamic and static binary code analysis without requiring access to source code

Reduce the cost associated with specialized consultants who manually review application code

Security Expertise without High Costs – Veracode provides industry-leading security expertise without the high costs of manual reviews or investment in software and other
infrastructure.