PCI DSS Compliance

Requirement 6.6: Protect Public-Facing web applications

When your company or organization handles credit card data you must comply with the Payment Card Industry Data Security Standard (PCI DSS). Hdiv security solutions help companies and organizations meet 4 of the PCI DSS requirements.

All requirements are applied without any change in the applications and the necessary information and reports are included within the Hdiv web console component.

Requirement 6.6: Protect Public-Facing web applications

Requirement 6.6 offers two options to implement this requirement: install an automated technical solution that detects and prevents web based attacks or review public-facing web applications manually or by automated vulnerability assessment tools or methods, at least annually and after any changes.

Requirement 6.6

  • Hdiv protection features cover the first type of solution without waiting to any code review and redeployment, offering a high level of security constantly from the beginning.

Requirement 8: Identify and authenticate access to system components

Hdiv covers some of the subrequirements of this point, including:

Requirement 8

  • 8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts.
  • 8.1.7 Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID
  • 8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.
  • 8.2.3 Passwords/passphrases must meet the following: Require a minimum length of at least seven characters. Contain both numeric and alphabetic characters. Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified above.

Requirement 10: Audit All Access to Cardholder Data

“Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs.”

This requirement demands that companies and organizations track and monitor all access to cardholder data.

Requirement 10

  • Hdiv makes it possible to log any access or cardholder data, transparently and without changing application source code.

Resources

CONFERENCE

Protection and Verification of Security Design Flaws

Watch

VIDEO

Testing Hdiv IAST against OWASP Benchmark

Watch

VIDEO

Hdiv Protection (RASP) in the Production environment

Watch

VIDEO

Hdiv RASP protecting ASP.NET MVC applications

Watch