rvlsoft - Fotolia

Manage Learn to apply best practices and optimize your operations.

Is the PCI DSS a good guide for an application security program?

Is the PCI DSS a sufficient guideline for implementing an application security program? Should organizations take steps beyond the mandated PCI compliance checklist?

The Payment Card Industry Data Security Standard (PCI DSS) checklist is a great place to start, but it probably won't cover all the application security concerns of a modern enterprise. Project managers working on security will want to consult PCI DSS guidelines as well as some associated security standards that delve deeper into application security specifically. Keep in mind that PCI DSS is focused only on credit cards and may not be the right flavor of information security for every organization.

The PCI DSS is a prescriptive framework for information security that's not very specific to application security. The essence of the 12 main standards of PCI DSS is to have a secure environment that protects sensitive cardholder data. These standards are enforced by security policies and supported by ongoing vulnerability management and security testing. In a way, this is exactly what's needed for an organization's application security program. However, application security requires more detail than general recommendations for managing information risks.

One of the best ways to go about improving your application security program is to review and follow the PCI Security Standards Council's Payment Application Data Security Standard (PA-DSS). PA-DSS is more application security centric than PCI DSS. It gets more in-depth into application security architecture and, in particular, one PA-DSS requirement outlines the specific security controls for creating and maintaining secure applications.

Overall, PCI DSS provides great guidance for managing information security. PA-DSS aligns with certain PCI DSS requirements to create an overall security program. If you're looking for another commonly used application security framework, I recommend OWASP Top 10 and its associated projects.

Sufficient application security has different meanings to different people and businesses. In the end, you have to look at application security as a subset of information security and ensure the proper processes and people are continually involved.

Next Steps

Five application security threats and how to counter them

The latest information on PCI DSS

Dig Deeper on Topics Archive

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

What standards have you used to structure your application security program?