Maintain Secure Systems

Integrator Notes

On your servers you should ensure that the latest security patches have been applied.

When making changes to Znode Storefront use the following industry best practices:

•	Test of all security patches and system and software configuration changes before deployment

•	Separate development, test, and production environments

•	Separation of duties between development, test, and production environments

•	Production data (live PANs or Credit Card numbers) are not used for testing or development

•	Remove test data and accounts before production systems become active

•	Remove custom application accounts, usernames, and passwords before applications become active or are released to customers

•	Review custom code prior to release to production or customers in order to identify any potential coding vulnerability.

Follow change control procedures for all system and software configuration changes. The procedures must include the following:

•	Documentation of impact

•	Management sign-off by appropriate parties

•	Testing of operational functionality

•	Back-out procedures

Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerabilities in software development processes, to include the following:

•	Un-validated input

•	Broken access control (for example, malicious use of user IDs)

•	Broken authentication and session management (use of account credentials and session cookies)

•	Cross-site scripting (XSS) attacks

•	Buffer overflows

•	Injection flaws (for example, structured query language (SQL) injection)

•	Improper error handling

•	Insecure storage

•	Denial of service

•	Insecure configuration management

Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:

•	Have all custom application code reviewed for common vulnerabilities by an organization that specializes in application security

•	Install an application layer firewall in front of web-facing applications. Note that installing an application layer firewall is required per PCI-DSS Requirement 6.6.

Further information on secure web development can be found at:

http://www.owasp.org/index.php/OWASP_Top_Ten_Project

When deploying applications to production be sure to make backups of both your database and application code first. PCI-DSS requires that you have well defined procedures for testing your code prior to deploying to production and that you have production back-out procedures should you have issues with your deployment.

Configuration Notes

By default the web services feature of Znode Storefront is secured and not accessible. You should properly configure your webservices directory to ensure that web services are not publicly accessible.