Our clients find the following documents helpful. And, since the sites that they come from are not the most user friendly to navigate, we have included them here for your convenience.


The following documents are of interest to payment application vendors. They have been taken from the PCI Council's website. You can find the originals at: www.pcisecuritystandards.org

  • Program Guide - If you are a payment application vendor, you will want to become very familiar with this guide. It will help you understand what you need to do and what the the PCI Council and your QSA (Qualified Security Assessor) will do for you.

  • PA-DSS - Once you are familiar with the Program Guide above, you will want to review the PA-DSS (Payment Application Data Security Standards). The PA-DSS details all of the security requirements that you need to ensure are being met by both your company and your application. This version of the PA-DSS also includes the Reporting Instructions that your PA QSA must follow when he/she assesses your application. If your are familiar with this document, there should be no suprises when assessment time comes. (Version 3.0 - 2013)

  • Mobile Payment Guidelines - If you have or are contemplating creating a payment application for mobile devices, please read this document. It provides very practical guidance for ensuring that your applications adequately address security.


The follow files are of interest to merchants and service providers involved with storing, processing, or transmitting cardholder data.

  • PCI-DSS - The PCI-DSS (Payment Card Industry Data Security Standards) provides all of the security requirements that merchants and services providers must adhere to on an ongoing basis. It does not matter if you accept 10,000 or 10,000,000 credit card transactions, you are contractually required to adhere to these standards. All acquiring banks require PCI compliance as part of their merchant/service provider agreements. Failing to comply with these standards can get you in serious trouble. Fines, penalties, professional fees, and loss of customer trust can put you out of business if your company experiences a data breach. (Version 3.0 - 2013)

  • Mobile Payment Guidelines - If you have or are contemplating building or buying a payment application for mobile devices, please read this document. It provides very practical guidance for ensuring that such applications adequately address security.

  • Mobile Payment Guidelines For Merchants - If you are a merchant that takes mobile payments, this document is for you. The purpose of this document is to provide guidance to merchants on how to implement a secure mobile payment acceptance solution. While not exhaustive, this document outlines a variety of both traditional and less conventional mechanisms to isolate account data and protect it from exposure.

  • Virtualization Guidelines - Do you have questions about how virtualization affects your security and compliance? Have a look at this information supplement.

  • Code Reviews/Web Application Firewall - If you have a public facing web application you must use either secure code reviews or a web application firewall to protect it. This supplement explains this requirement and these options in more detail.

  • Penetration Tests - The PCI-DSS requires merchants and service providers to have penetrations tests performed on their networks. Your company cannot be compliant without them. These tests must be performed by "experienced penetration testers". Please read this information supplement to learn more.

Industry Standards

Are you working to improve the security of your company? Don't reinvent the wheel! There are many industry standards that can make your life easier and your company more secure. Using well vetted industry standards takes the guesswork and trial and error out of making changes. ISO, NIST, ISACA, etc are all good resources. The following standards come from NIST (www.nist.gov).

  • Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping - This publication describes cryptographic methods that are approved for key wrapping, i.e., the protection of the confidentiality and integrity of cryptographic keys. In addition to describing existing methods, this publication specifies two new, deterministic authenticated-encryption modes of operation of the Advanced Encryption Standard (AES) algorithm: the AES Key Wrap (KW) mode and the AES Key Wrap With Padding (KWP) mode. An analogous mode with the Triple Data Encryption Algorithm (TDEA) as the underlying block cipher, called TKW, is also specified, to support legacy applications. (NIST SP - 800-38 - December 13, 2012)

  • Computer Security Incident Handling Guide - Computer security incident response has become an important component of information technology (IT) programs. Because performing incident response effectively is a complex undertaking, establishing a successful incident response capability requires substantial planning and resources. This publication assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively. This publication provides guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications. (NIST SP - 800-61rev2 - August 06, 2012)

  • Recommendation for Key Management - Part 1: General (Revision 3) - This Recommendation provides cryptographic key management guidance in three parts. Part 1 of the Recommendation 1) defines the security services that may be provided and key types that may be employed in using cryptographic mechanisms; 2) provides background information regarding the cryptographic algorithms that use cryptographic keying material; 3) classifies the different types of keys and other cryptographic information according to their functions, specifies the protection that each type of information requires and identifies methods for providing this protection; 4) identifies the states in which a cryptographic key may exist during its lifetime; 5)identifies the multitude of functions involved in key management; and 6) discusses a variety of key management issues related to the keying material. (NIST SP - 800-57 - July 10, 2012)

  • Guidelines for Securing Wireless Local Area Networks (WLANs) - A wireless local area network (WLAN) is a group of wireless networking devices within a limited geographic area, such as an office building, that exchange data through radio communications. The security of each WLAN is heavily dependent on how well each WLAN component-including client devices, APs, and wireless switches-is secured throughout the WLAN lifecycle, from initial WLAN design and deployment through ongoing maintenance and monitoring. The purpose of this publication is to help organizations improve their WLAN security by providing recommendations for WLAN security configuration and monitoring. This publication supplements other NIST publications by consolidating and strengthening their key recommendations. (NIST SP - 800-153 - February 21, 2012)

  • Electronic Authentication Guideline - This recommendation provides technical guidelines for Federal agencies implementing electronic authentication and is not intended to constrict the development or use of standards outside of this purpose. The recommendation covers remote authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. It defines technical requirements for each of four levels of assurance in the areas of identity proofing, registration, tokens, management processes, authentication protocols and related assertions. This publication supersedes NIST SP 800-63. (NIST SP - 800-63-1 - December 12, 2011)

  • Guide to Security for Full Virtualization Technologies - The purpose of SP 800-125 is to discuss the security concerns associated with full virtualization technologies for server and desktop virtualization, and to provide recommendations for addressing these concerns. Full virtualization technologies run one or more operating systems and their applications on top of virtual hardware. Full virtualization is used for operational efficiency, such as in cloud computing, and for allowing users to run applications for multiple operating systems on a single computer. (NIST SP - 800-125 - January 28, 2011)

  • NIST Special Publication 800-64 Rev. 2 Security Considerations in the System Development Lifecycle - The purpose of SP 800-64 Revision 2, Security Considerations in the System Development Lifecyle, is to assist federal government agencies in integrating essential information technology (IT) security steps into their established IT system development life cycle (SDLC). This should result in more cost effective, risk appropriate security control identification, development and testing.(NIST SP - 800-64-2 - October 16, 2008)

  • Technical Guide to Information Security Testing and Assessment - The purpose of this document is to assist organizations in planning and conducting technical information security tests and examinations, analyzing findings, and developing mitigation strategies. The guide provides practical recommendations for designing, implementing, and maintaining technical information security test and examination processes and procedures. These can be used for several purposes, such as finding vulnerabilities in a system or network and verifying compliance with a policy or other requirements. The guide is not intended to present a comprehensive information security testing and examination program but rather an overview of key elements of technical security testing and examination, with an emphasis on specific technical techniques, the benefits and limitations of each, and recommendations for their use. (NIST SP - 800-115 - September 30, 2008)

Web Application Security

There are many great resources available on the web to learn about web application security. One organization that has done a great deal to advance security in this area is OWASP (the Open Web Application Security Project). The OWASP website (www.owasp.org) contains wealth of knowledge. Just a few of the most common documents are listed below.

  • Guide to Building Secure Web Applications - In this guide, you will find details on securing most forms of web applications and services, with practical guidance using J2EE, ASP.NET, and PHP samples. It uses the familiar OWASP Top 10 format, but with more depth, and references to take you further. (Version 2.0 - July 27, 2005)

  • Software Assurance Maturity Model (SAMM) - The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The resources provided by SAMM will aid in: (Version 1.0)
    • Evaluating an organization's existing software security practices
    • Building a balanced software security assurance program in well-defined iterations
    • Demonstrating concrete improvements to a security assurance program
    • Defining and measuring security-related activities throughout an organization

  • Secure Coding Practices Quick Reference Guide - This technology agnostic document defines a set of general software security coding practices, in a checklist format, that can be integrated into the software development lifecycle. Implementation of these practices will mitigate most common software vulnerabilities. (Version 2.0 - November 2010)

  • Testing Guide - This Testing Guide will show you how to verify the security of your running application. I highly recommend using this guides as part of your application security initiatives. (Version 3.0 - 2008)