Implementing the Payment Card Industry (PCI) Data Security Standard (DSS)

Underpinned by the rise in online criminality, the payment card industry (PCI) data security standards (DSS) were introduced which outlines a subset of the core principals and requirements that must be followed, including precautions relating to the software that processes credit card data. The necessity to implement these requirements in existing software applications can present software owners and developers with a range of issues. We present here a generic solution to the sensitive issue of PCI compliance where aspect orientated programming (AOP) can be applied to meet the requirement of masking the primary account number (PAN). Our architecture allows a definite amount of code to be added which intercepts all the methods specified in the aspect, regardless of future additions to the system thus reducing the amount of work required to the maintain aspect. We believe that the concepts here will provide an insight into how to approach the PCI requirements to undertake the task. The software artefact should also serve as a guide to developers attempting to implement new applications, where security and design are fundamental elements that should be considered through each phase of the software development lifecycle and not as an afterthought.

[1]  Heinz-Wilhelm Fabry Database Vault: Enforcing Separation of Duties to Meet Regulatory Compliance Requirements , 2008, EDOC.

[3]  Yang Xiao,et al.  A Survey of Payment Card Industry Data Security Standard , 2010, IEEE Communications Surveys & Tutorials.

[4]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[5]  V. P. Kallimani,et al.  ENCRYPTION SOLUTION THAT IS PROTECTING AGAINST EXTERNAL AND INTERNAL THREATS , AND MEETING REGULATORY REQUIREMENTS A practical implementation of field level privacy , 2004 .

[6]  Robin Docksey PCI DSS - Closing the Loop on `Card Not Present' Fraud , 2006 .

[7]  William Stallings,et al.  THE ADVANCED ENCRYPTION STANDARD , 2002, Cryptologia.

[8]  Nils Agne Nordbotten,et al.  XML and Web Services Security Standards , 2009, IEEE Communications Surveys & Tutorials.

[9]  Ramnivas Laddad,et al.  Aspect-Oriented Programming Will Improve Quality / Aspect-Oriented Programming: the Real Costs? , 2003, IEEE Softw..

[10]  Hans-Arno Jacobsen,et al.  Aspectizing Middleware Platforms , 2003 .

[11]  Harry M. Sneed Encapsulating legacy software for use in client/server systems , 1996, Proceedings of WCRE '96: 4rd Working Conference on Reverse Engineering.

[12]  Sandra Kay Miller,et al.  Aspect-Oriented Programming Takes Aim at Software Complexity , 2001, Computer.

[13]  Michi Henning,et al.  The Rise and Fall of CORBA , 2006, ACM Queue.

[14]  Vasant Raval,et al.  PCI DSS: Payment Card Industry Data Security Standards in Context , 2008, Comput. Law Secur. Rev..

[15]  Clive Blackwell The management of online credit card data using the Payment Card Industry Data Security Standard , 2008, 2008 Third International Conference on Digital Information Management.

[16]  Robert Rowlingson,et al.  A comparison of the Payment Card Industry data security standard with ISO17799 , 2006 .