The PCI SSC (Council) is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer risk losing their ability to process credit card payments and being audited and/or fined.

All in-scope companies must validate their compliance annually. This validation can be conducted by Qualified Security Assessors, i.e. companies that have completed a three-step certification process by the PCI SSC which recognises them as being qualified to assess compliance to the PCI DSS standard. However, smaller companies have the option to use a Self-Assessment Questionnaire. Whether this questionnaire needs to be validated by a QSA depends on the requirements of the card brands in that merchant’s region.

The current version of the standard specifies 12 requirements for compliance, organised into 6 logically related groups, which are called “control objectives.”

1. Build and Maintain a Secure Network
   • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
   • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
2. Protect Cardholder Data
   • Requirement 3: Protect stored cardholder data
   • Requirement 4: Encrypt transmission of cardholder data across open, public networks
3. Maintain a Vulnerability Management Program
   • Requirement 5: Use and regularly update anti-virus software
   • Requirement 6: Develop and maintain secure systems and applications
4. Implement Strong Access Control Measures
   • Requirement 7: Restrict access to cardholder data by business need-to-know
   • Requirement 8: Assign a unique ID to each person with computer access
   • Requirement 9: Restrict physical access to cardholder data
5. Regularly Monitor and Test Networks
   • Requirement 10: Track and monitor all access to network resources and cardholder data
   • Requirement 11: Regularly test security systems and processes
6. Maintain an Information Security Policy
   • Requirement 12: Maintain a policy that addresses information security

Compliance with these requirements can be summarized into 3 main stages:

• Collecting and storing: Secure collection and tamper-proof storage of all log data so that it is available for analysis.
• Reporting: Being able to prove compliance on the spot if audited and present evidence that controls are in place for protecting data.
• Monitoring and alerting: Have systems in place such as auto-alerting, to help administrators constantly monitor access and usage of data. Administrators are warned of problems immediately and can rapidly address them. These systems should also extend to the log data itself –- there must be proof that log data is being collected and stored.

What does this actually mean for web application developers?

It is considerably more expensive and more time-consuming to recover from a security incident than to take preventative measures ahead of time. If you follow the guidelines below, you will go along way to securing you application in line with the PCI DSS regulations. Many of the measures apply to general application security, but since PCI DSS is all about security, they are worth mentioning.

Server-level Security:

• Separate web- and database-servers on to different physical machines.
• Secure the web- and database-servers with traditional techniques. Only authorised accounts should have the capabilities to run tasks on the machine. That means not giving admin-rights to the user account.
• Keep servers up-to-date with the latest patches and software releases.
• Minimise the number of services running on the server. This means limiting the services to only those required for the web- or database-servers to function.
• Secure information in transit between servers. This may mean physically securing the network to prevent evesdropping via encryption or obfuscating the data amongst innocuous ‘noise’.
• Secure the database server behind a firewall.

Application-level Security:

• Separate ColdFusion, the webserver and database server user accounts. They should never be under the same system account.
• Create a database user specifically for your ColdFusion datasource and restrict it to only the activities required for the application. The user should not have database-owner rights, access to databases not relating to the application or access to the system tables.
• Revoke privileges in the ColdFusion datasource definition to prevent the SQL commands CREATE, DROP, GRANT, REVOKE and ALTER.
• General settings in the ColdFusion Administrator:
  • Check the Disable access to internal ColdFusion Java components option.
  • Check the Enable Global Script Protection option.
  • Add a Missing Template Handler.
  • Add a Site-wide Error Handler.
  • Reduce the Maximum size of post data from 100MB.
  • Enable Timeout Requests, and set to 60 seconds or less.
  • Disable Robust Exception Handling on production servers.

Web Application-level Security:

• Use secure HTTP to transfer data and/or when logged into ‘administration’ secutions of your web application.
• Timeout sessions after 15 minutes and on browser close.
• Provide multi-level login processes. For example, lock the application after 3 failed attempts for a period of 10 minutes.
• Do not identify whether the username or password are incorrect, simply notify the user that their login failed and that they must try again.
• Encrypt passwords stored in the database with a standard such as SHA-256 or ‘stronger’.
• Use CAPTCHAs (textual and aural) to prevent automated robots hacking into your application.
• Run regular penetration tests on your application to identify potential problems.
• Encrypt credit card information held in the database or other storage mechanism. Only store credit card data in line with the PCI DSS regulations.

Code-level Security:

• Application.cfc – Set the scriptProtect Application variable to true to enable application-wide cross-site script protection.
• CFQueryParam – This tag, importantly, verifies the data type of a query parameter and, for RDBMSs that support bind variables, enables ColdFusion to use bind variables in the SQL statement. Bind variable usage enhances performance when executing a cfquery statement multiple times. There are limitations to the use of the cfqueryparam tag. In ColdFusion 7 for example, you cannot use them in queries using the cachedWithin attribute. Similarly, they cannot be used in ORDER BY clauses, although the use of conditional logic should resolve the need for order by variables.
• Functions – As a rule of thumb, validate all the data being passed into a query prior to it being used. ColdFusion MX 7 saw the introduction of the isValid() function. This function tests whether a value meets a validation or data type rule and can be used to replace a large number of type-specific functions such as isArray(), isBinary(), isBoolean(), isDate(), isNumeric() and isSimpleValue() etc.
• Stored Procedures – I often favour the use of stored procedures over standard queries. Not only do they add an additional level of performance, they provide an additional level of security; ColdFusion does not do any raw processing of queries in the web code, it simply passes variables down the wire to the database server.

Conclusion

The goal of the PCI Data Security Standard is to protect cardholder data that is processed, stored or transmitted by merchants. The security controls and processes required by PCI DSS are vital for protecting cardholder account data, including the PAN – the primary account number printed on the front of a payment card. Merchants and any other service providers involved with payment card processing must never store sensitive authentication data after authorisation. This includes sensitive data that is printed on a card, or stored on a card’s magnetic stripe or chip – and personal identification numbers entered by the cardholder.

By following the points made above, you will go a long way to meeting the PCI DSS guidelines, whilst also securing your infrastructure and applications in a more general sense.

Caveat: The views and comments written in this article are provided as a guideline. I hold no responsibility for the security of your applications and data based upon the information provided.

This article was inspired by a great blog post at Aviva Directory, entitled Grade Your Website: 31 Free Online Tests.

Below is a compendium of tools I use on a regular basis to test website I work on, based on Aviva Directory’s headings (incidentally they list the same tools I use regularly).:

Code Validation

The WDG HTML Validator is an excellent tool for identifying syntax errors on pages driven by markup languages. There is also an option to recursively check for errors on every page in the website directory, which is invaluable when checking large, dynamic websites.

The W3C Link Checker searches for and identifies broken links for a given URL. The tool specifically checks that all the links are de-referenceable, no links and anchors are defined twice and warns about invalid http and directory redirects.

Accessibility

Watchfire’s WebXACT is a must use tool for all serious designers and developers. The tool lets you test single pages and generates a very detailed report on the quality, accessibility and privacy of a website.

Speed

Web Page Analyzer from Website Optimization is an excellent tool that calculates page size, composition, and download time. The script calculates the size of individual elements and sums up each type of web page component (objects, CSS, images etc). Based on these page characteristics the script then offers advice on how to improve page load time. The script incorporates best practices web site optimisation techniques into its recommendations.

Browser Simulator

Browsershots is a tool, created by Johann C. Rocholl, which takes screenshots of your website in various browsers and platforms including Firefox and Internet Explorer on Windows, Firefox and Safari on Mac OS X and Iceweasal and Konqueror on Linux. When the user submits a URL it is added to a job queue. Unfortunately the queue requires you to wait up to three hours before retrieving your screenshots, but the results provide a clear indication of how the website will be received by different user setups.

Search Engine Optimisation (SEO)

SEO Workers SEO Analysis Tool is an extremely useful tool that analyses an assortment of page features including meta tags, keyword density and load time. A user simply submits a URL for testing and the report is returned.

The secret behind this implementation is a filter introduced in IE55 that is called AlphaImageLoader. This filter takes an image with alpha channels and displays it. It has also a property for deciding how to scale the image.

To download this permanently: iepngfix.zip (15kb).

How to Implement

1. Put the iepngfix.htc file into your CSS directory
2. Put the blank.gif file into your CSS directory (otherwise you will need to edit the HTC file)
3. Edit your CSS to include the following line behavior:url(iepngfix.htc); for the <img> tag

Known Issues

This uses CSS “behaviors”, a custom Microsoft extension to CSS. As such, it will not affect any other browsers like Mozilla and Opera which already implement good PNG support. It will also not help IE4.0 and IE5.0, which don’t include the necessary IE filter, and does nothing with IE5/Mac (which natively supports translucent PNG foreground images, however).

You should not apply other visual filters to the iamge with the PNG behavior because these other filters do not respect the alpha channels and the result will most likely not be satisfactory.

Alternatives

An alternative source that I recently discovered is found at the following link http://webfx.eae.net/dhtml/pngbehavior/pngbehavior.html

Below are links to of each of the 12 issues.

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

Below are links to of each of the 12 issues.

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

For more information about MicroID, check out the blog, read the spec, download example code or join the discussion list.

Occam’s razor states that the explanation of any phenomenon should make as few assumptions as possible. The principle is often expressed in Latin as the lex parsimoniae (law of succinctness):

entia non sunt multiplicanda praeter necessitatem

which translates to:

entities should not be multiplied beyond necessity

This is often paraphrased as “All things being equal, the simplest solution tends to be the best one.” One consequence of this methodology is the idea that the simplest or most obvious explanation of several competing ones is the one that should be preferred until it is proven wrong.

So, how can this apply to web development. There is an analogy between software development and the scientific theory as a means to enhance the credibility of a particular set of programming practices. Once a programmer has a theory (model) of the software in their head, they can talk about and explain its behavior to others. When they make changes to the code, they do so in a way that is consistent with the theory and therefore “fits in” with the existing code base well. A programmer not guided by such a theory is liable to make modifications and extensions to the code that appear to be “tacked on” as an afterthought, and not consistent with the design and philosophy of the existing code base.

Simply, don’t add markup where markup is not needed. Don’t over complicate an application structure. If you have the choice between 2 or 3 paths to the same end – choose one and let it be the simplest and shortest, but with the caveat, don’t cut corners. This will make for cleaner, understandable code with faster download times, something all developers should work towards. CSS has helped this concept immersurably by removing the need to use inline styles, font tags, tables for positioning etc.

In terms of ColdFusion, the use of design patterns (e.g. Singleton, Model-View-Controller…) and the now numerous frameworks (e.g. Fusebox, Model-Glue, Mach-II, Reactor…) has reduced or even removed the concept of “spaghetti code”, the bane of may a web developer’s life and indeed the often muted argument against ColdFusion as an enterprise level application development environment.

In object-oriented programming, programming objects represent real-world objects. To illustrate, consider the example of an address book, which contains listings of people along with zero or more phone numbers and zero or more addresses. In object-oriented terms this would be represented by a “person object” with “slots” (fields, members, instance variables etc.) to hold the data that make up this listing: the person’s name, a list (or array) of phone numbers, and a list of addresses.

The crux of the problem is in translating those objects to forms which can be stored in files or databases, and which can later be retrieved easily while preserving the properties of the objects and their relationships; these objects can then be said to be persistent.

Object-Relational systems attempt to solve this problem by providing libraries of classes which are able to do this mapping automatically. Given a list of tables in the database, and objects in the program, they will automatically map requests from one to the other. Asking a person object for its phone numbers will result in the proper query being created and sent, and the results being “magically” translated directly into phone number objects inside the program.

From a programmer’s perspective, the system looks like a persistent object store. One can create objects and work with them as one would normally, and they automatically end up in the relational database.

A number of ORM frameworks have been created for ColdFusion:

Reactor

Reactor, created by Doug Hughes of Alagad fame, is a very simple API for ColdFusion which generates and instantiates database abstraction CFCs on the fly as needed.

http://www.doughughes.net/

Arf!

Active Record Factory (Arf!) is a Rails-style ActiveRecord implementation in ColdFusion.

Below is a list of the basics that Arf! provides:

• JDBC metadata based reflection: not database specific

• Creates ActiveRecord API‘d instances out of CFCs that extend a base ActiveRecord component

• Implements hasMany() and belongsTo() methods for establishing Record properties that point to other tables

• Allows for overloading any of the automagically generated methods to add custom business logic

• Automagic methods on Records include GetInstance(), Create(), Read(), Update(), Delete(), Save() [smart create/update], List(orderBy, whereClause), Validate() [does type and length checking], and SetNNN()/GetNNN() methods for each DB column

http://www.clearsoftware.net/

objectBreeze

Developed by Nicholas Tunney, objectBreeze is an ORM tool that allows you to interact with your data persistence layer and easily model objects within your ColdFusion applications. With no setup, objectBreeze will instantly create objects directly from your database schema. objectBreeze requires that your table has -a- primary key defined. Currently, objectBreeze works with Microsoft SQL, Oracle, MySQL and PostgreSQL, but other versions are on the way.

http://www.objectbreeze.com/ob/

cfcPowerTools

Batch generation of your data layer objects in minutes.

http://cfcpowertools.riaforge.org/

Transfer

Transfer was built out of a need to speed up the development process that is normally slowed down by the development of Business Objects and Data Access Objects.

Transfer does this through a series of methods, including SQL generation and CFML code generation, that all occur during the run-time process.

All this is configured through a XML file, that maps your object generation back to the tables and columns in your database.

http://www.compoundtheory.com/

Captchas are used to prevent bots from using various types of computing services. Applications include preventing bots from taking part in online polls, registering for free email accounts (which may then be used to send spam), and, more recently, preventing bot-generated spam by requiring that the (unrecognized) sender pass a captcha test before the email message is delivered.

Captcha Implementations

ColdFusion:

• The Alagad Captcha, a ColdFusion Component (CFC) written in 100% native ColdFusion.
• The Compound Theory Captcha CFC, A Free Coldfusion Captcha Component (CFC)

However, there are situations where you cannot use the full-text searching capabilities of Verity. For example, Verity only runs on Windows, Linux and Solaris, therefore the ability to run ColdFusion MX on the Apple OS X operating system, whilst advantageuos to developers who code on the Apple platform, does not include the ability to use Verity. Furthermore, programmers who work in a hybrid J2EE/ColdFusion MX environment cannot natively use the Verity search capabilities in the J2EE environment. Finally, programmers who need customized searching and indexing capabilities may find the standard Verity integration limiting. There are work-arounds include installing Verity on a Windows, Linux, or Solaris server and configuring your ColdFusion server to use the remote Verity server, however these may not only be impractical, but cost-prohibitative.

Enter Lucene, an open source full-text searching framework from the Apache Jakarta project, which, when combined with ColdFusion MX, can be run on Apple OS X, can be programmatically accessed by both J2EE and ColdFusion MX developers, and can be fully customized and extended.Apache Lucene is a high-performance, full-featured text search engine library written entirely in Java. It is a technology suitable for nearly any application that requires full-text search, especially cross-platform.

Apache Lucene is an open source project available for free download.

Features

• Lucene offers powerful features through a simple API.

Scalable, High-Performance Indexing

• Over 20MB/minute on Pentium M 1.5GHz
• Small RAM requirements — only 1MB heap
• Incremental indexing as fast as batch indexing
• Index size roughly 20-30% the size of text indexed

Powerful, Accurate and Efficient Search Algorithms

• Ranked searching — best results returned first
• Many powerful query types: phrase queries, wildcard queries, proximity queries, range queries and more
• Fielded searching (e.g., title, author, contents)
• Date-range searching
• Sorting by any field
• Multiple-index searching with merged results
• Allows simultaneous update and searching

ColdFusion & Lucene Implementations

If you don’t fancy attempting the task of writing your own ColdFusion implementation of Lucene, below are a couple of projects that will give you a kick-start along the road to indexing database content. With the addition of other Java projects such as PDFBox the textual content of a pdf can also be extracted and indexed.

Aaron Johnson

Inspired by Lindex, Aaron Johnson has created a CFX Tag called CFX_Lucene that closely mimics the ColdFusion cfsearch tag, but uses Lucene rather than Verity.

http://cephas.net/blog/lucene/index.html

CFLucene

CFLucene is an open source project that attempts to provide developers an easy way to integrate the indexing and searching functions of the Apache Lucene Java library with a ColdFusion web application. The CFLucene is a collection of ColdFusion Components that natively call the Lucene Java classes to index and search any sort of textual data.

http://www.cflucene.org/