Back

Test the system for cross-site request forgery.


CONTROL ID
06296
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Perform penetration tests, as necessary., CC ID: 00655

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Verify that processes are in place to ensure that web applications are not vulnerable to a Cross-Site Request Forgery. (§ 6.5.9, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Interview responsible personnel and examine the software development policies and procedures to verify Cross-Site Request Forgery is addressed by coding techniques to ensure applications do not rely on the tokens and authorization credentials automatically submitted by browsers. (Testing Procedures § 6.5.9, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization must ensure the development of web applications are based on secure coding guidelines and prevents common coding vulnerabilities such as cross-site request forgeries (CSRFs). (§ 6.5.9, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that processes are in place to ensure that web applications are not vulnerable to cross-site request forgeries (CSRFs). (§ 6.5.9 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • The software development process must address common coding vulnerabilities, to include Cross-Site Request Forgery. (PCI DSS Requirements § 6.5.9, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Do coding techniques address cross-site request forgery (CSRF)? (PCI DSS Question 6.5.9, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Do coding techniques address cross-site request forgery (CSRF)? (PCI DSS Question 6.5.9, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Do coding techniques address cross-site request forgery (CSRF)? (PCI DSS Question 6.5.9, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)