PCI DSS 4.0. Requirements for API Security

Learn about PCI DSS 4.0. requirements applicable to API and discover common steps toward PCI DSS compliance The rise of Application Programming Interfaces (APIs) over the last few years has impacted information flow among businesses. This is not surprising, as modern hybrid and multi-cloud environments heavily rely on APIs to exchange data, features, and functionality. In conditions where an average enterprise uses almost 2,500 cloud applications, many of which are siloed, APIs enable integration so that these platforms and apps can seamlessly communicate with one another. In addition, authentication credentials, HTTP headers, and query strings on which APIs rely provide additional security and privacy during data exchange. At the same time, an explosion of the API market at the beginning of the 2020s made APIs a common source of security concerns. API developers are moving toward more developer-friendly, lightweight API gateways, making them vulnerable to unauthorized access, data breaches, and other security threats. The issue of insecure APIs is especially sharp in the financial industry due to the sensitive financial data they handle. Out of 1629 organizations with at least 100 employees, most of which (47%) belong to Financial Services and Insurance, a striking 60% of organizations have been victims of an API-related data breach within the past two years, suggesting either a consistent security gap or recurrent threat actors exploiting these vulnerabilities. This suggests that organizations need adequate vision into security tools to prevent API attacks. Fortunately, security standards governing financial space have evolved to address some of the unique threats APIs can pose to an organization. The Payment Card Industry Data Security Standard (PCI DSS) has included considerations applicable to API security within its framework with the March 2022 release of its PCI DSS 4.0. Updates.

Understanding PCI DSS 4.0 updates

The PCI DSS comprises security standards designed to safeguard cardholder data and minimize the potential for payment card fraud. Initially introduced in 2005, the standard is overseen by the Payment Card Industry Security Standards Council (PCI SSC), featuring representation from leading credit card companies such as Visa, Mastercard, American Express, Discover, JCB, and UnionPay. PCI DSS applies to all organizations that handle, process, or store payment card information, including merchants, service providers, financial institutions, and any other entities involved in the payment card transaction process. We have already written about organizations covered by PCI DSS along with how to identify your PCI compliance level. PCI DSS 4.0, scheduled for implementation in March 2024, represents a substantial update to the standard, aligning with the evolving landscape of digital commerce and the imperative for more strict security measures. A notable feature of PCI DSS 4.0 is that it contains requirements applicable to APIs (Requirements 2.2.7; 6.2.3; 6.2.4; 6.3.2). This acknowledges the important role of APIs in the payment processing ecosystem and underscores the essential need for their thorough and secure management. If your APIs are involved in handling, transmitting, or managing credit, debit, or alternative payment card information, you and your technical collaborators must ensure that your APIs are PCI DSS compliant. Let’s see the main PCI DSS 4.0. requirements applicable to API.

How an API works in the financial industry

The financial industry heavily relies on payment API in its third-party payment processing. Payment APIs enable apps and eCommerce sites to accept payments by ensuring communication between all entities involved in the payment process, such as the processor, gateway, and eCommerce platform. In practice, the API function is activated when a user purchases something on an e-commerce site and is then prompted to “Pay with Paypal” or another third-party system. Let’s see how API works in the financial industry:

• When the purchaser selects the payment button, an API triggers a request to obtain information. This request is sent from an application to the web server through the API's Uniform Resource Identifier (URI) and includes a request verb, headers, and sometimes, a request body.
• Upon receiving a valid request from the product webpage, the API initiates communication with the external program or web server, specifically, the third-party payment system.
• The server replies to the API with the information that was requested.
• The API transfers the data to the initial requesting application.

While the data transfer will differ depending on the web service being used, the requests and responses all happen through an API. There is no visibility on the user interface, meaning APIs exchange data within the computer or application, and appear to the user as a seamless connection.

The risk of API abuse

The lack of visibility may lead to API abuse when a malicious party uses an API in a way that was not intended by its original design, such as making excessive requests to a server to cause a DDoS attack or injecting a malicious code into the API. Some common forms of API abuse include:

• Scraping: using automated scripts to extract large amounts of data from an API to slow down or crash the server.
• Spamming: using an API to send large numbers of spam requests. Similar to scraping, spamming can overload the server with excessive requests, leading to performance issues or even server crashes.
• Injection attacks: injecting malicious code into an API request to execute arbitrary commands on the server. Injection attacks can compromise the security of the API and the server, potentially leading to unauthorized access, data manipulation, or other security breaches.
• Stealing data: Using the API to access sensitive information like personal user data or financial information. This is a serious breach of privacy and security. Unauthorized access to sensitive information can result in identity theft, financial loss, and other harmful consequences for individuals and organizations.

According to a May 2023 report by API security company FireTail, more than half a billion records have already been exposed via vulnerable APIs, and 2024 is on track to be a record-high year for API breaches. One of the most infamous API incidents included the T-Mobile data breach when hackers exploited an API to steal the data of 37 million customers.

PCI DSS 4.0. requirements applicable to API security

Unfortunately, more than a quarter of financial services and insurance organizations lack a proper API strategy, which puts them at a higher risk of API breaches. To minimize the risk of API abuse and transmit cardholder account data more securely, implement the necessary PCI DSS security requirements:

Secure API System Components

There are general security measures that organizations should implement to secure API system components:

• Establish a system where only authorized individuals have access to API components. This requires each server to host only one primary function to avoid mixing functions with different security needs.
• Establish secure configuration standards for all API system components to enhance access controls and prevent unauthorized access to API resources.
• Encrypt non-console administrative access to API management systems, configuration interfaces, and other administrative functionalities to mitigate the risk of credential interception and unauthorized access to APIs. If these administrative interfaces were accessed through unencrypted channels, like HTTP rather than HTTPS, malicious actors could intercept sensitive authentication credentials and administrative commands.

Securing API system components helps prevent potential attacks where attackers obtain API keys, authentication tokens, or other sensitive information, which could then be used to gain unauthorized access to APIs or launch further attacks on the system.

Protocol configurations used by the API

Organizations must employ robust cryptographic protocols such as TLS (Transport Layer Security) to encrypt the transmission of cardholder data over public networks. Adhering to this requirement guarantees the integrity and confidentiality of data, reducing the potential for interception and unauthorized access to sensitive information communicated through APIs.

Secure development practices to mitigate and address API vulnerabilities

PCI DSS 4.0 emphasizes the importance of a Secure Software Development Lifecycle (SSDLC) to ensure security in every phase of software development. PCI DSS 4.0 requires maintaining an up-to-date inventory of all bespoke and custom software, including APIs. This inventory serves as the foundation for risk assessment, security testing, and incident response. There must be policies and procedures that dictate how APIs are developed, deployed, and maintained. Centralized management through automated API discovery and inventory tools helps enforce consistent security policies and prevent the proliferation of "shadow" or "zombie" APIs that may escape scrutiny.

Appropriate authentication and authorization (PCI DSS Requirements 7 and 8)

PCI DSS 4.0 introduced several updates and refinements applicable to API security. Authentication and access controls. PCI DSS introduces strict requirements for Authentication and Access Controls. This includes multifactor authentication (MFA) to verify user identities and strong access controls to restrict unauthorized access to data and systems, including sensitive API resources. For example, users accessing sensitive API endpoints may need to provide both a password and a one-time code sent to their mobile device. Improved User Identification and Session Management. The standard mandates organizations to enhance user identification and session management access. This involves implementing unique user IDs, strong password policies, session timeout mechanisms, and monitoring session activities to prevent unauthorized access to APIs. Strengthened Logging, Monitoring, and Access Reviews: PCI DSS 4.0 emphasizes the importance of logging, monitoring, and access reviews. For API security, organizations should to log all API activities, including requests and responses, and conduct regular reviews and audits to identify and remediate unauthorized access attempts or excessive privileges. Enhanced Authentication Mechanisms: The standard requires organizations to strengthen authentication mechanisms, including the implementation of strong encryption protocols, secure tokenization methods, and secure key management practices. This would protect API credentials and prevent unauthorized access.

Conducting regular vulnerability assessments

PCI DSS 4.0. calls for frequent and thorough testing of all related systems and applications, including APIs, to uncover vulnerabilities before they can be exploited. This includes both dynamic application security testing (DAST) and penetration testing, which simulate real-world attack scenarios to identify weaknesses. The concept of "shifting left" is also prominent in PCI DSS 4.0, advocating for security testing to occur earlier in the development cycle. This shift enables organizations to identify and remediate vulnerabilities before software reaches production, reducing the risk of exposure and the cost of fixes.

Practical Steps Towards PCI DSS 4.0. Compliance

APIs represent a unique part of an organization's attack surface and demand meticulous measures to ensure their security. Employing a layered strategy for API security is not only crucial for PCI DSS compliance but, more significantly, for safeguarding data integrity. To comply with PCI DSS 4.0. and enhance your organization's resilience against API-related risks, consider implementing the following measures. Update your inventory. Securing APIs begins with maintaining an up-to-date inventory, as safeguarding the technical aspects of an environment that requires awareness. Organizations need to possess a documented comprehension of the APIs utilized in payment processing, the categorization of the data they manage, and the measures implemented to ensure data security. Implement a robust authorization for APIs. APIs commonly face vulnerabilities related to authorization, making them a prevalent weakness. Thus, it is essential to ensure authentication and accessibility checks for all critical organization resources. Use strong authentication. Leverage MFA (multifactor authentication) wherever possible. Implement authentication restrictions to mitigate the risk of brute force attempts, credential stuffing, and other typical authentication attacks. Securely configure the systems that support APIs. Utilize transport layer security encryption for every server managing cardholder account data. Ensure the inclusion of pertinent security headers and restrict HTTP verbs solely to those meeting business requirements. Conduct regular security audits. Conducting these audits is essential to assess both technical vulnerabilities and business logic flaws in APIs, aiding in the detection of possible weaknesses. Review the PCI DSS 4.0 Updates. All you Need to Know to find out more updates in the upcoming version of the standard and RoC, AoC, and Other Elements of PCI DSS Compliance to learn more about PCI DSS compliance.

Become PCI DSS Compliant with Planet 9

Are you on the way to your PCI DSS compliance journey or unsure where to start? Planet 9 professionals can help you become and remain PCI compliant. Depending on your company’s size and volume of annual credit card transactions, we can, among other things:

• evaluate the ‘security maturity’ of your organization to establish a baseline;
• based on the security maturity and validation requirements, prepare a plan to raise the organizational maturity;
• develop a roadmap for mitigating the identified compliance gaps and risks, and then assist the client on executing the roadmap;
• prepare and share the requirements and steps required to complete the required compliance activities

Book a free consultation today to explore how Planet 9 can help you achieve your security and compliance goals. We’ll be happy to assist!