The rise of Application Programming Interfaces (APIs) over the last few years has impacted how all industries exchange information to conduct business. Simultaneously, APIs have become one of the leading attack vectors for criminals to leverage for data theft.
The payment card industry is no exception, and security standards governing this space have evolved to address some of the unique threats APIs can pose to an organization.
For the first time in its history, the Payment Card Industry Data Security Standard (PCI DSS) has explicitly included considerations for API security within its framework with the March 2022 release of its Version 4.0 security standard.
What Is the PCI DSS?
The PCI DSS is a set of security standards established to protect cardholder data and reduce the risk of payment card fraud. Version 1 of the standard was first released in 2005 by the Payment Card Industry Security Standards Council (PCI SSC), which includes representation from major credit card companies including Visa, Mastercard, American Express, Discover, JCD and UnionPay.
PCI DSS applies to all organizations that handle, process or store payment card information, including:
- Merchants
- Service providers
- Financial institutions
- Any entity involved in the payment card transaction process
The applicability and scope of the requirements found within the standard apply to organizations depending on the type of interactions the organization has with cardholder account data, such as payment channels the organization utilizes and the technologies utilized within the processes.
API Security and the PCI DSS
An API would come into the PCI DSS scope for any organization hosting an API interface to receive or transit cardholder account data. Applicable security requirements for the API would include a range of general security recommended practices found within the PCI DSS, such as:
- Requirement 2. Secure service
- Requirement 4. Protocol configurations used by the API
- Requirement 6. Use of secure development practices to mitigate and address vulnerabilities
- Requirement 7. Appropriate authentication
- Requirement 8. Authorization of users
- Requirement 11. Conducting regular vulnerability assessments
With the release of Version 4.0 of the PCI DSS security standard, the PCI council has included specific guidance on the use of applicable APIs for a handful of individual requirements found within the standard. The applicability of security controls for in-scope APIs isn’t limited to these requirements alone, but the council has updated included guidance to highlight considerations for the use and hosting of APIs that interact with cardholder account data. Guidance for these requirements is found within the PCI DSS Requirement 6 control family, Develop and Maintain Secure Systems and Software.
Practical Steps Towards Compliance
APIs are a unique part of an organization’s attack surface and require careful attention to keep them secure. A layered approach to API security is best for compliance and, more importantly, for keeping data secure. Here are five practical steps to help your organization lock down API-related risks.
- Update Your Inventory. You can’t protect the technical aspects of an environment you aren’t aware of, so the first step towards securing APIs is to keep an updated inventory. Organizations should have a documented understanding of the APIs involved in payment processing, the classification of data they handle, and the mechanisms in place to keep data safe.
- Implement and Maintain a Robust Authorization Mechanism for APIs. Authorization-related vulnerabilities represent the most common weakness for APIs. Authorization checks for requested resources should be accessible by the authenticated user and performed regularly.
- Use a Standard Authentication Process for Requests that Deal with Private Data. Leverage multifactor authentication wherever possible. Apply authentication restrictions to help prevent brute force attempts, credential stuffing and other common authentication attacks.
- Securely Configure the Systems that Support APIs. Use transport layer security encryption for all servers that handle cardholder account data. Always include relevant security headers and only allow HTTP verbs that serve business requirements.
- Conduct Regular Security Audits of APIs and the Supporting Infrastructure. These audits should test the APIs for technical weaknesses as well as business logic flaws to help identify potential weaknesses.
Review the OWASP Top Ten and the OWASP API Security Top Ten for additional information about securing your organization’s APIs.