Q
Manage Learn to apply best practices and optimize your operations.

Is the PCI DSS a good guide for an application security program?

Is the PCI DSS a sufficient guideline for implementing an application security program? Should organizations take steps beyond the mandated PCI compliance checklist?

The Payment Card Industry Data Security Standard (PCI DSS) checklist is a great place to start, but it probably...

won't cover all the application security concerns of a modern enterprise. Project managers working on security will want to consult PCI DSS guidelines as well as some associated security standards that delve deeper into application security specifically. Keep in mind that PCI DSS is focused only on credit cards and may not be the right flavor of information security for every organization.

The PCI DSS is a prescriptive framework for information security that's not very specific to application security. The essence of the 12 main standards of PCI DSS is to have a secure environment that protects sensitive cardholder data. These standards are enforced by security policies and supported by ongoing vulnerability management and security testing. In a way, this is exactly what's needed for an organization's application security program. However, application security requires more detail than general recommendations for managing information risks.

One of the best ways to go about improving your application security program is to review and follow the PCI Security Standards Council's Payment Application Data Security Standard (PA-DSS). PA-DSS is more application security centric than PCI DSS. It gets more in-depth into application security architecture and, in particular, one PA-DSS requirement outlines the specific security controls for creating and maintaining secure applications.

Overall, PCI DSS provides great guidance for managing information security. PA-DSS aligns with certain PCI DSS requirements to create an overall security program. If you're looking for another commonly used application security framework, I recommend OWASP Top 10 and its associated projects.

Sufficient application security has different meanings to different people and businesses. In the end, you have to look at application security as a subset of information security and ensure the proper processes and people are continually involved.

Next Steps

Five application security threats and how to counter them

The latest information on PCI DSS

This was last published in September 2014

Dig Deeper on Software Security Test Best Practices

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What standards have you used to structure your application security program?
Cancel

-ADS BY GOOGLE

SearchMicroservices

TheServerSide.com

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

DevOpsAgenda

Close