Security Certification in Payment Card Industry: Testbeds, Measurements, and Recommendations Sazzadur Rahaman1, Gang Wang2, Danfeng (Daphne) Yao1 1Computer Science, Virginia Tech, Blacksburg, VA 2Computer Science, University of Illinois at Urbana-Champaign, Urbana, IL
[email protected],
[email protected],
[email protected] Abstract ACM Reference Format: The massive payment card industry (PCI) involves various entities Sazzadur Rahaman, Gang Wang, Danfeng (Daphne) Yao. 2019. Security such as merchants, issuer banks, acquirer banks, and card brands. Certification in Payment Card Industry: Testbeds, Measurements, and Rec- Ensuring security for all entities that process payment card infor- ommendations. In 2019 ACM SIGSAC Conference on Computer & Commu- mation is a challenging task. The PCI Security Standards Council nications Security (CCS’19), November 11–15, 2019, London, UK. ACM, New requires all entities to be compliant with the PCI Data Security York, NY, USA, 18 pages. https://doi.org/10.1145/3319535.3363195 Standard (DSS), which specifies a series of security requirements. However, little is known regarding how well PCI DSS is enforced in 1 Introduction practice. In this paper, we take a measurement approach to system- Payment systems are critical targets that attract financially driven atically evaluate the PCI DSS certification process for e-commerce attacks. Major card brands (including Visa, MasterCard, American websites. We develop an e-commerce web application testbed, Bug- Express, Discover, and JCB) formed an alliance named Payment gyCart, which can flexibly add or remove 35 PCI DSS related Card Industry Security Standards Council (PCI SSC) to standardize vulnerabilities. Then we use the testbed to examine the capability the security requirements of the ecosystem at a global scale.