Achieving PCI DSS compliance with Pluralsight is too convenient for excuses

- select the contributor at the end of the page -
Any website dealing with payment card info on the Web will inevitably be the target of online attackers, making it vital for developers to have security training. Card data is extremely valuable to attackers, not just because it can be immediately used to make purchases, but because the cards themselves are valuable commodities in underground markets. There are many “carding” websites in existence, purely to facilitate the sale of stolen financial data. To put it simply, it's big business.

Why security standards matter

Not surprisingly, card theft is costly. It's been happening for some time, too, with TJX being one of the first seriously large incidents when over 94 million card details walked out the door before being discovered in 2006. In more recent times, we witnessed Target lose 40 million cards in 2013 and Home Depot got hit with $56 million just last year. To put those numbers in context, Target spent $146 million in the ensuing months just cleaning up the mess, while Home Depot purportedly laid out $43 million doing the same, in the span of a single quarter. Then there are the ongoing lawsuits, adding an even bigger mess and expense to the mix. And, let's not forget, this is all just for the companies that were breached.

Other big losers in these data breaches are the payment companies. When a card is compromised, it then needs to be replaced. This comes at a cost to the financial institution issuing it, not to mention the costs associated with handling fraudulent transactions. Multiply that tens of millions of times and you can see why companies like Visa, MasterCard and American Express aren't exactly pleased when a merchant suffers a breach like this. It's this very reason why we have the Payment Card Industry (PCI) and its Data Security Standard or as we commonly know it, PCI DSS.

What is PCI DSS?

The goal of PCI DSS is to set forth security standards by which organizations storing or transmitting cardholder data should follow. Non-compliance of these standards could result in serious fines. Of course, there's compliance auditing to ensure the standards are actually being met. PCI DSS isn't without its controversies, but the fact remains that if you want to handle payment card data, you need to play ball. The question then becomes how to achieve compliance efficiently, because the objectives they set forth can come at a cost.

PCI DSS objectives

It's these objectives in PCI DSS 3.0, one in particular, that brings me to the crux of this post. It's outlined in requirement 6.5, and reads: “Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory.”

This requirement goes on to discuss learning industry best practices and specific risks such as SQL injection, cross site scripting, using transport layer encryption (SSL), implementing proper error handling and a raft of other common vulnerabilities found in systems of all kinds, not just those processing payment cards. In short, PCI DSS requires developers to be trained in secure coding practices that are appropriate for their role.

How Pluralsight can help

One question I often hear regarding the PCI DSS 6.5 requirement is whether developers can meet those demands through Pluralsight training. This question is often asked by someone managing a team of .NET developers, and it's asked in the context of a course like the OWASP Top 10 Web Application Security Risks for ASP.NET. At the heart of this question is uncertainty as to whether online training is sufficient. Obviously it's a very cost effective and flexible way to learn, but does it actually satisfy the requirement? Before I felt I could give a clear-cut answer, I reached out to PCI directly and got some great guidance.

Essentially, PCI DSS 6.5 indicates that developers need to be trained on secure coding practices in the technologies they're using to build the systems that handle the payment cards. How you're trained (in person or online) is inconsequential, what's key is the knowledge you obtain and the skills you can then demonstrate. In fact, the way PCI explained it is that if developers are better able to protect applications against the vulnerabilities listed in 6.5, then that training is appropriate.

Another key point here is that developers need evidence of the training. Fortunately, that's something that's readily available via Pluralsight, as course completion is tracked online. If quizzed by a security assessor, the developer can point to the record of training and, in the case of subscriptions (which include access to the course assessments), even point to a record of demonstrated knowledge.

So, the short answer is yes; Pluralsight training can help meet PCI DSS requirements. The trick is to ensure the material being studied is appropriate for the role, and in the case of a technology like ASP.NET, that's pretty well covered. Even better, it's getting even easier to meet the PCI requirements, as Pluralsight is rapidly building up a comprehensive library of security training across many domains.

Get our content first. In your inbox.

Contributor

Troy Hunt

Troy Hunt is a Pluralsight author, Microsoft MVP for Developer Security and international speaker and trainer who's been building software for browsers since the very early days of the web. He blogs regularly about cloud computing and web security at troyhunt.com and is actively involved in numerous community projects, including “Have I been pwned?” at haveibeenpwned.com. Away from electronic devices, Troy is an avid snowboarder, windsurfer and tennis player, pursuits he regularly enjoys with his young family.