Back

Test the system for insecure cryptographic storage.


CONTROL ID
11635
CONTROL TYPE
Technical Security
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a testing program., CC ID: 00654

This Control has the following implementation support Control(s):
  • Perform self-tests on cryptographic modules within the system., CC ID: 06537
  • Perform power-up tests on cryptographic modules within the system., CC ID: 06538
  • Perform conditional tests on cryptographic modules within the system., CC ID: 06539


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Robust System Security Testing, in respect of critical e-banking systems, needs to incorporate, inter-alia, specifications relating to information leakage, business logic, authentication, authorization, input data validation, exception/error handling, session management, cryptography and detailed lo… (Critical components of information security 11) c.32., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Verify that processes are in place to ensure that web applications are not vulnerable to information leakage due to insecure cryptopgrahic storage. (§ 6.5.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Interview responsible personnel and examine the software development policies and procedures to verify insecure cryptographic storage is addressed by coding techniques, such as using strong cryptographic algorithms and preventing cryptographic flaws. (Testing Procedures § 6.5.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Verify that processes are in place to ensure that web applications are not vulnerable to information leakage due to insecure cryptopgrahic storage. (§ 6.5.3 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that processes are in place to ensure that applications are not vulnerable to information leakage due to insecure cryptopgrahic storage. (§ 6.5.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • The software development process must address common coding vulnerabilities, to include insecure cryptographic storage. (PCI DSS Requirements § 6.5.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Cryptographic data should be validated to ensure it is stored securely for internal and external web payment applications. (§ 5.1.1.3, § 5.2.8, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • Do coding techniques address insecure cryptographic storage? (PCI DSS Question 6.5.3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Do coding techniques address insecure cryptographic storage? (PCI DSS Question 6.5.3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)