Are you a payment solution provider? Credit card company? Online business accepting credit card payments? Protecting cardholder data is no doubt a key priority. It can start with open source software (OSS) security and meeting PCI security standards.
In 2019 the Payment Card Industry Security Standards Council (PCI SSC) published security standards for the development and management of payment application software that stores, processes and/or transmits cardholder data. I wrote about it then in this blog. Related to open source, the newer standards require software companies to continuously identify and assess weaknesses within software applications.
In its Technology Insight for Software Composition Analysis report, Gartner shows that:
- 6% of codebases contain at least some open source
- 40% of those components contain at least one high-risk vulnerability
- Concerns over the long-term viability of packages and the presence of security vulnerabilities were cited as the most significant challenges faced in using open source
According to the US census bureau, eCommerce continues to grow at double-digit rates each year. That plus increased acceptance and use of OS to boost productivity and innovation along with the rise in data and security breaches creates a potential tidal wave of problems. That’s what the PCI SSC aims to avoid with evolving security standards and what payment solution providers should pay attention to. After all, Secure SLC Assessors have a job for a reason – to validate that software vendors have mature software lifecycle management practices in place that ensures the protection of payment transactions and data while minimizing security vulnerabilities.
Meeting the new standards requires committing to changes in your software development lifecycle that demonstrates to assessors, stakeholders, and customers that you are responsible for the security of cardholder data. If the open source software supply chain is not managed through security and compliance processes, attackers can exploit gaps and carry out malicious activities.
Payment software vendors should embark on an open source compliance and risk management journey by:
- Creating a consistent, repeatable process for software vulnerability and risk management
- Gaining buy-in from critical stakeholders across the organization, including executives, developers, engineers, and legal
- Setting and enforcing policies for remediation
- Creating a complete and accurate Bill of Materials for all applications to meet the requirement of accounting for the entire codebase
- Making open source scanning an ongoing best practice effort, including integrating an SCA solution into your Engineering process
Adding Software Composition Analysis and open source scanning solutions to your technology lineup goes a long way in implementing the journey to compliance and risk management.