Skip to content

Application Programming Interface (API) testing for PCI DSS compliance

The Payment Card Industry Data Security Standard (PCI DSS) is the set of security standards designed to protect cardholder data and ensure the secure processing of credit and debit cards. The PCI DSS v3.2.1 was written before the emergence of Application Programming Interfaces (APIs), and thus largely ignores them. However, the Open Web Application Security Project (OWASP) and PCI have both recognized the importance of covering APIs in the context of PCI DSS compliance.

API testing is a form of security testing that goes beyond traditional Firewall, Web Application Firewall, and Intrusion Detection System testing. It uses fuzzing techniques to ensure that sessions, including their state information and data, are adequately separated from one another. It also ensures that any management tasks available through APIs are adequately authenticated, authorized, and impervious to hijacking.

API testing requires the OpenAPI definition file and a selection of differently privileged test userIDs to work with. It will also reveal if useful logging and alerting is not occurring, and thus the API may need some redesign to ensure all PCI-required events are in fact being recorded. Finally, both internal and externally accessible APIs should be tested to ensure least-privilege.

In conclusion, API testing is an important aspect of PCI DSS compliance that must not be overlooked. It requires an OpenAPI definition file and a selection of different test userIDs to work with, and it should be performed on both internal and external APIs. It will also reveal if useful logging and alerting is not occurring, and thus the API may need redesigning to ensure all PCI-required events are being recorded. AT&T Cybersecurity provides PCI DSS consulting services to help organizations manage risk and keep their companies secure.

Key Points:

• The PCI DSS v3.2.1 largely ignores APIs
• API testing is a form of security testing that goes beyond traditional Firewall, Web Application Firewall, and Intrusion Detection System testing
• API testing requires the OpenAPI definition file and a selection of differently privileged test userIDs to work with
• API testing will also reveal if useful logging and alerting is not occurring
• Both internal and external APIs should be tested to ensure least-privilege
• AT&T Cybersecurity provides PCI DSS consulting services

Leave a Reply

Your email address will not be published. Required fields are marked *