©2014 White Source Software Ltd. All Rights Reserved. White Source is a Trademark of White Source Software

PCI-DSS 3.0 Compliance with White Source

Overview

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance

cardholder data security and facilitate the broad adoption of consistent data security measures globally.

PCI DSS provides a baseline of technical and operational requirements.

As part of PCI-DSS, organizations must develop and “maintain a vulnerability management program” when they

develop and maintain secure systems and applications, including a “vulnerability management program”. (cf.

Requirement 6)

Importantly, as part of a vulnerability program, software vendors are required to ensure not only that their

own code is not vulnerable, but also that open source libraries that are an integral part of their product are not

likely to pose a security risk. White Source – a leading open source compliance and security management

vendor – provides this service to both software vendors and their customers. We continuously monitor web

vulnerability databases and notify software vendors and their customers when a vulnerability is discovered

which directly affects their product, as well as when a fix is available.

Who Must Comply

According to Visa, all acquirers and issuers must comply, and must also ensure the compliance of their

merchants and service providers who store, process, or transmit Visa account numbers. However, much of PCI

is quite general and has evolved to become a golden standard for many organizations in other industries as

well.

Why White Source

White Source helps software developers and their customers comply with Requirement 6 of the standard.

Whereas most software vendors do a good job at controlling the quality and security of their own code, they

often need help in the management of quickly growing body of open source libraries that are used by their

developers to boost their own code.

Requirement 6: Develop and maintain secure systems and application Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches, which must be installed by the entities that manage the systems. All systems must have all appropriate software patches to protect against the exploitation and compromise of cardholder data by malicious individuals and malicious software.

©2014 White Source Software Ltd. All Rights Reserved. White Source is a Trademark of White Source Software

White Source is the leading provider of open source license compliance and security management solutions.

Specifically, White Source provides two main services related to PCI:

1. Proactively alert software developers whenever security vulnerabilities are discovered in specific open

source libraries that are used within their products.

2. Proactively alert software vendors when a new version is released for an open source library they use,

including reference to the vulnerabilities and other bugs that were fixed.

In addition, White Source helps software vendors comply with open source licenses and regulations by

continuously keeping track of all open source libraries used in each of their projects and product versions.

Software vendors, as well as their customers, can use White Source to enforce an open source acceptance

policy, including ensuring compliance with the requirements of specific licenses in a way that mitigates legal

and business risks.

White Source for PCI-DSS 3.0

White Source helps address primarily PCI-DSS security requirements

Requirement White Source Solution

6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities

Continuously monitor common security vulnerability databases

Catalog CVEs according to severity: high, medium, low Match CVEs to open source libraries Identity CVEs that are relevant to open source libraries

used in a specific software project and product version

6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install security patches within one month of release

Proactively alert whenever a security vulnerability becomes known for a relevant open source library

Proactively alert when a fix/patch is available, and continues to alert until it is installed

6.3 Develop internal and external software applications (including web-based administrative access to applications) securely, as follows: - In accordance with PCI DSS - Based on industry standards and/or best practices - Incorporating information security throughout the software-development life cycle

Can be used to enforce compliance with open source security best practices by both internal software developers and external software vendors

Agile approach makes it easy to incorporate best practices throughout the entire software development lifecycle

6.4.5 Change control procedures for the implementation of security patches and software modifications

Follows and documents all changes to open source libraries due to (1) new or changing functionality; (2) patches and upgrades; and (3) changes to the open source library itself, including especially addition of new dependencies.