Search code examples
javascriptsecurityfrontendpaymentpci-compliance

PCI compliance (PCI DSS) for Front End


I'm are currently working on the project and one of its feature is e-commerce such that our system should take care of security for user's credit card information and other credential information.

I know that any web service that deals with user's payment card information should follow PCI compliance (Payment Card information Data Security Standard). As a front-end developer, I need to figure out what part of PCI DSS I should focus and need to learn.

Any suggestions, reference or advise?

Thanks for the help


Solution

  • PCI-DSS is quite complex, but in short: most of the rules to be followed regard backend processing and storage. One of the points regarding the frontend is requirement 3.3:

    Mask PAN when displayed (the first six and last four digits are the maximum number of digits you may display), so that only authorized people with a legitimate business need can see more than the first six/last four digits of the PAN. This does not supersede stricter requirements that may be in place for displays of cardholder data, such as on a point-of-sale receipt.

    But I think it is a bad idea to do this on the frontend side. Better to send already masked data to the frontend as everything on the clientside could be manipulated (e.g. you mask the cardnumber via javascript, but in the page source the whole number is to be found).

    And of course reuirement 4:

    4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (e.g. Internet, wireless technologies, cellular technologies, General Packet Radio Service [GPRS], satellite communications). Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment use industry best practices to implement strong encryption for authentication and transmission. (Where SSL/early TLS is used, the requirements in PCI DSS Appendix A2 must be completed.)

    4.2 Never send unprotected PANs by end user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.).

    4.3 Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.

    Be sure to use strong transport layer encrpytion (TLS 1.2) and only allow secure ciphers so that data transferred from your frontend to the backend is not readable by someone sniffing the network. You should be aware that all protection efforts on the frontend side may be undermined by a dirty pc, that means a pc infected by trojans and other malware. This is mostly covered by requirement 5.

    5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). For systems not affected commonly by malicious software, perform periodic evaluations to evaluate evolving malware threats and confirm whether such systems continue to not require anti-virus software.

    5.2 Ensure that all anti-virus mechanisms are kept current, perform periodic scans, generate audit logs, which are retained per PCI DSS Requirement 10.7.

    5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.

    5.4 Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.

    And in the end: ensure you let your application be pentested as this is required.