The PCI Security Standards Council (PCI SSC) published guidance today on the secure development and maintenance of software designed to run on point-of-interaction (POI) devices.
POI devices are hardware or software components in point-of-sale equipment that allow a consumer to use a credit card to make a purchase, such as a PIN pad. According to the PCI SSC, the document is intended to address software that exists on POI devices, including payment and non-payment applications, and reinforce the importance of a layered approach to security.
“The goal of this document is to ensure that all organizations responsible for software development (and device management) understand the potential threats, and employ appropriate processes throughout the development life cycle to counter those threats,” according to the document. “The processes followed will depend on the organization, the type of application being developed, and the software languages used, but the principles remain the same.”
The document is meant to help organizations – including POI device vendors – that write or implement applications within a POI device understand the threats and counter them throughout the development lifecycle, according to the PCI SSC. It also comes at a time when cybercriminals have increasingly been paying attention to point-of-sale devices and targeting both retailers as well as vendors of point-of-sale devices (PoS).
“Criminals are looking at every aspect of a payment transaction to find ways for data exfiltration,” said PCI SSC Chief Technology Officer Troy Leach, in a statement. “While consumers and merchants alike benefit from additional features, complexity and increasing dependency on third-party applications can create new opportunities for exploit which is why due diligence is so vital in the development of software that terminals rely upon. This paper highlights important best practices for software coding in this unique environment.”
According to the PCI SSC, organizations can use this guidance to help ensure standard secure coding practices are followed, including:
Security awareness training that supports secure software development:
• Those involved in the development process (including software developers and peer reviewers), have important roles to play in developing software to ensure secure coding practices are implemented and address current threats. Those roles need to be defined before development begins and those individuals need to be trained and understand the secure software development program.
Secure software development lifecycle:
• Organizations need to have a software security roadmap defined before development begins that will address known threats. The software needs to be mapped and documented, and rules and processes defined so that security is implemented as part of the development process and not incorporated as an afterthought.
• It is imperative to understand how the application will work when used with the hardware, firmware, and other applications that it is intended for use with. While simulators and unit testing are essential, testing the device with the complete solution should be a priority.
Internal process reviews:
• The threat environment is constantly evolving which is why organizations need to stay current on the latest threats and changes to ensure the procedures in place are still sufficient and are actually being followed.
Michael Belton, team lead of assessment services at Rapid7, said that for an average retailer, performing hardware and software security testing on a product they purchased is cost-prohibitive.
The document can be read here.