Gtorok: Rewrote to make current with latest PCI security guidelines

2018-06-21T14:00:51Z

Rewrote to make current with latest PCI security guidelines

Johanna Curiel at 21:51, 30 July 2016

2016-07-30T21:51:51Z

Dinis.cruz at 10:37, 14 September 2006

2006-09-14T10:37:23Z

New page

this page will contain all relevant information about the PCI DSS, including OWASP's comments

links:

* [http://www.PCISecurityStandards.org PCISecurityStandards.org website]
* comment by Jeremiah Grossman [http://jeremiahgrossman.blogspot.com/2006/09/new-pci-data-security-standard.html New PCI Data Security Standard released!]
* [https://sdp.mastercardintl.com/vendors/vendor_list.shtml PCI Vendor list]

@@ Line 1: / Line 1: @@
-{{taggedDocument
+PCI DSS - Mobile Security Recommendations
-| type=delete
+== PCI Mobile Payment Acceptance Security Guidelines ==
-}}
+The 2017 PCI Mobile Payment Acceptance Security Guidelines states, “Bypassing permissions can allow untrusted security decisions to be made, thus increasing the number of possible attack vectors.”
-this page will contain all relevant information about the PCI DSS, including OWASP's comments
+== Section 4.3 Prevent Escalation of Privileges ==
+Controls should exist to prevent the escalation of privileges on the device (e.g., root or group privileges). Bypassing permissions can allow untrusted security decisions to be made, thus increasing the number of possible attack vectors. Therefore, the device should be monitored for activities that defeat operating system security controls—e.g., jailbreaking or rooting—and, when detected, the device should be quarantined by a solution that removes it from the network, removes the payment-acceptance application from the device, or disables the payment application. Offline jailbreak and root detection and auto quarantine are key since some attackers may attempt to put the device in an offline state to further circumvent detection. Hardening of the application is a method to that may help prevent escalation of privileges in a mobile device. Controls should include, but are not limited to:
-links:
+*Providing the capability for the device to produce an alarm or warning if there is an attempt to root or jailbreak the device;
+*Providing the capability within the payment-acceptance solution for identifying authorized objects and designing controls to limit access to only those objects
-* [http://www.PCISecurityStandards.org PCISecurityStandards.org website]
+== Links ==
-* comment by  Jeremiah Grossman [http://jeremiahgrossman.blogspot.com/2006/09/new-pci-data-security-standard.html New PCI Data Security Standard released!]
+*[https://www.pcisecuritystandards.org/documents/PCI_Mobile_Payment_Acceptance_Security_Guidelines_for_Developers_v2_0.pdf PCI Mobile Payment Acceptance Security Guidelines for Developers • September 2017]
-* [https://sdp.mastercardintl.com/vendors/vendor_list.shtml PCI Vendor list]
+* [https://www.preemptive.com/blog/article/980-an-app-hardening-use-case-filling-the-pci-prescription-for-preventing-privilege-escalation-in-mobile-apps/106-risk-management Blog on Preventing Privilege Escalation in Mobile Payment Apps (PCI Mobile Payment Acceptance Security Guidelines Section 4.3)]

← Older revision		Revision as of 21:51, 30 July 2016
Line 1:		Line 1:
		+	{{taggedDocument
		+	\| type=delete
		+	}}
	this page will contain all relevant information about the PCI DSS, including OWASP's comments		this page will contain all relevant information about the PCI DSS, including OWASP's comments

PCI DSS - Revision history

Gtorok: Rewrote to make current with latest PCI security guidelines

Johanna Curiel at 21:51, 30 July 2016

Dinis.cruz at 10:37, 14 September 2006