3.4 PA-DSS Guidelines
7
5.1 Develop all payment applications in accordance with PCI DSS (for example, secure authentication and logging)
and based on industry best practices and incorporate information security throughout the software development life
cycle. These processes must include the following: PCI Data Security Standard Requirement 6.3
5.1.1 Live PANS are not used for testing or development. PCI Data Security Standard Requirement 6.4.4.
• Validation of all input (to prevent cross-site scripting, injection flaws, malicious file execution, etc.)
• Validation of proper error handling
• Validation of secure cryptographic storage
• Validation of secure communications
• Validation of proper role-based access control (RBAC)
5.1.2 Separate development/test, and production environments
5.1.3 Removal of test data and accounts before production systems become active development. PCI Data Security
Standard Requirement 6.4.4
5.1.4 Review of payment application code prior to release to customers after any significant change, to identify any
potential coding vulnerability. Removal of custom payment application accounts, user IDs, and passwords before
payment applications are released to customers
Note: This requirement for code reviews applies to all payment application components (both internal and public-
facing web applications), as part of the system development life cycle required by PA-DSS Requirement 5.1 and
PCI DSS Requirement 6.3. Code reviews can be conducted by knowledgeable internal personnel or third parties.
5.2 Develop all web payment applications (internal and external, and including web administrative access to product)
based on secure coding guidelines such as the Open Web Application Security Project Guide. Cover prevention of
common coding vulnerabilities in software development processes, to include:
• Injection flaws, with particular emphasis on SQL injection, Cross-site scripting (XSS) OS Command Injection,
LDAP and Xpath injection flaws, as well as other injection flaws.
• Buffer Overflow.
• Insecure cryptographic storage.
• Insecure communications.
• Improper error handling.
• All HIGH vulnerabilities as identified in the vulnerability identification process at PA-DSS Requirement 7.1.
• Cross-site scripting (XSS)
• Improper access control such as insecure direct object references, failure to restrict URL access and directory
traversal.
• Cross-site request forgery (CSRF)
Note: The vulnerabilities listed in PA-DSS Requirements 5.2.1 through 5.2.9 and in PCI DSS at 6.5.1 through 6.5.9
were current in the OWASP guide when PCI DSS v1.2 / PCI DSS v2.0 (01/01/10) were published. However, if and
when the OWASP guide is updated, the current version must be used for these requirements.
5.3 Software vendor must follow change control procedures for all product software configuration changes. PCI
Data Security Standard Requirement 6.4. 5.The procedures must include the following:
• Documentation of impact
• Management sign-off by appropriate parties
• Testing functionality to verify the new change(s) does not adversely impact the security of the system. Remove
all testing configurations, samples, and data before finalizing the product for production.
IDTech iOS SDK Guide for NEO2 #80152802-001
