Keep This Payment Security Checklist Handy

A security expert provides a list of common mistakes developers make concerning payment security.

September 19, 2017

It’s no secret that developing applications becomes even more complex when you look to integrate payment processing. There are literally hundreds of pages of rules and regulations by multiple bodies that you need to follow to ensure your software follows the necessary security protocols and best practices.

DevPro Journal had the opportunity to speak with Nathan Sweaney, a senior security consultant with Secure Ideas, about some of the more common mistakes his company sees concerning payment security in software development. While the following isn’t all you need to worry about if you’re interested in payments integration, it’s a good additional checklist to keep handy.

Include security from the beginning and in every part of the development lifecycle.
Don’t get access to data you don’t need and don’t store more than you need.
Don’t require users to run as admin — the “principle of least privilege.”
Provide support (and encourage) 2-factor authentication.
Don’t use default passwords. Require one to be set on install.
Provide a security implementation guide with realistic configurations. Don’t build a security model on configurations that no one can use in real life.
Train your developers on secure coding techniques. Most schools don’t teach secure coding, and few developers pursue it.
Test your software. Lots of options here: Code review, static analysis tools, penetration test, etc.
Provide a reliable, consistent patching process. It should be as seamless as possible and require minimal action for the merchant.
Don’t require insecure network configurations. Clearly define what network traffic and firewall rules are necessary to use the app.
Encrypt network traffic. Even non-sensitive stuff can be encrypted. It’s cheap and easy now.
Don’t store encrypted passwords. Store salted hashes with an iterative hashing function like pbkdf2.
Avoid rolling your own. Use standard, accepted libraries whenever possible for encryption, authentication, session management, etc.
For web apps, keep your whole stack updated (server, language, CMS, libraries).
Lean on a WAF (web application firewall), don’t stand. WAFs are an emergency patch. You should still do input validation/output encoding – use libraries.
Proactively limit attacks (logging/alert/IDS/rate limiting/IP-blocks).
Your API is a target. Don’t assume no one will find it or know how to communicate with it.

Keep This Payment Security Checklist Handy

Latest Software Developer News

Datacap Wins PayTech Women Corporate Champion – Small Business Award

Epson OmniLink TM-m50II-H POS Receipt Printer Now Available

Epson OmniLink m-Series Receipt Printers Certified for Slice Register POS Systems Built Exclusively for Local Pizzerias

MicroTouch Collaborates with Exertis Almo to Bring Integrators New Interactive Touch Displays

New GitLab Research Reveals Rising Demand for Security and Efficiency in Software Development, Increasing Use of AI/ML in Security

Solo.io Expands Gloo Platform with Addition of Gloo Fabric to Enable Secure, Multi-cloud Networking for Distributed Applications

Most Popular

Supercharge Your Dev/Test Tools: Automation Is Your AMP Suit, Not Skynet

Self-Ordering Kiosks Alter the Restaurant Industry

12 Customer Survey Best Practices for ISVs

4 Answers to ISVs’ Most Pressing Questions About Social Media