A recap from our latest PCI webinar, and compliance tips from Deliveroo

| By Taylor Macomber

Remember our previous blog post on the new PCI standards and how to comply? We recently hosted a webinar to break down what’s important to take away from the latest update, far beyond the fundamentals.

During the session, Jim Manico (founder at Manicode) and Adam Thompson, Information Security Officer at Deliveroo shared their insights to the updates, and best practices on how to comply.

The PCI Secure Software framework: why it’s important

PCI has many requirements that apply to the implementation, configuration, and development of payment software. As with other compliance frameworks, these standards evolve over time. Several elements of this updated framework relate to third-party libraries, security best practices, and topics developers should understand deeply.

A large portion of the family of PCI standards has been reworked, making now a good time to ensure your organization is fully compliant.

Common PCI compliance gaps

Developer security education is a key

According to Jim Manico, the single biggest gap for many teams in building secure applications is culture. Some wise companies provide programmers with security orientation as early as possible before allowing them to write code. This is beneficial, not only because it results in more secure code, but also because it sends a message that security is taken seriously by the organization.

On the other hand, many companies spend money on security tools but do not teach developers about security or expect them to implement it. They just want them to get their jobs done. Consequently, those developers don’t view security as an important part of their jobs. This practice should be straightened out to meet compliance, including PCI.

Use tools to automate security for developers

The next biggest gap is tooling. As DevOps becomes more and more the norm, it’s key to bring on tools that automate security, from testing to vulnerability management. In particular, third-party security should be taken more seriously, and testing and mitigation should be automated and conducted on a regular basis.

The old status quo of conducting security checks just before pushing something out into production does not work at the age of DevOps and its fast development cycles. Developers need to be an integral part of both finding and fixing vulnerabilities in software. In other words, security needs to shift left and be automated .

How Deliveroo leverages Snyk to meet PCI compliance

Deliveroo is classified as a merchant level one under PCI standards. When it comes to PCI-DSS specifically, Deliveroo uses Snyk to meet requirement 6.2—to ensure all systems and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches and installing critical ones within one month of release.

If, as a payment processor, you take a second to think about everything in your cardholder data environment, and the fact that you have to manage vulnerabilities across all of it—from infrastructure application stacks to self-hosted, off-the-shelf products to open source dependencies, it’s a lot. As Adam put it “I can only hope you have a cloud provider with a shared responsibility model to help you reduce some of that scope. Otherwise, you have to worry about everything in your data center as well.”

Fix vulnerabilities quickly and per priority

Now back to requirement 6.2: The important factor here is your vulnerability management framework, which defines how you’re going to treat vulnerabilities identified by Snyk. Obviously, vulnerabilities defined as critical need to be resolved in a month period, as mentioned within the standard. You can also take steps outside of patching in the short term as part of your vulnerability management framework.

All in one: Open source and container security, no matter the language

Snyk specifically enables Deliveroo to target vulnerable dependencies in code and dependencies in containers. Deliveroo uses Snyk to scan in-scope repositories, which include languages such as Ruby, JavaScript, Swift, and Kotlin, as well as some mobile dependencies. They also link up with Amazon Elastic Container Registry to cover their containers.

Adam says, “I’d like to call out Snyk’s ease of use when it comes to integration. You can go from no visibility to full visibility really quickly with no interruptions to workflow Snyk provides a high level of control, which is great.” He pointed out that manually searching for and patching the vulnerabilities that Snyk automatically takes care of would be a major (if not impossible) undertaking for any team. 

Snyk helps Deliveroo by putting open source vulnerability management all in one place, no matter the language.

Adam finished up by saying, “We’re just starting our journey with Snyk, and we’re excited to make use of all the helpful automation and insights they provide to engineers while shifting security all the way to the left.”

The future of PCI-DSS (it’s not over!)

While the new PCI rules are a big step forward, keep in mind that more changes are coming down the pike. We expect future iterations to focus on things like open source

dependencies to an even greater extent. This provides all the more incentive to ensure that your security practices around open source component usage, vulnerability testing, and mitigation are airtight.

Snyk is a developer-first security company, helping developers to find and fix vulnerabilities and license issues in their open source dependencies and containers.

Watch our recent PCI Compliance Webinar On-Demand Here:
https://info.snyk.io/pci-deep-dive-webinar-typ

Speakers


Jim Manico, Manicode

Adam Thompson, Deliveroo

Alexi Pivkine, Snyk