Security & Maintenance by Prof. Henri Adams

PCI Compliance Checklist for Custom Web Applications

PCI Compliance Checklist for Custom Web Applications

If your custom web application processes, stores, or transmits cardholder data, PCI DSS compliance is not optional. The Payment Card Industry Data Security Standard establishes a baseline of technical and operational requirements designed to protect payment card information. For development teams building custom applications, understanding how these requirements translate into actual code and infrastructure decisions is critical. This checklist breaks down the 12 PCI DSS requirements into actionable items for web application developers.

Understanding PCI DSS at a High Level

PCI DSS was created by the Payment Card Industry Security Standards Council, founded by Visa, Mastercard, American Express, Discover, and JCB. The standard applies to any entity that stores, processes, or transmits cardholder data. For custom web applications, this means that if your application touches credit card numbers, CVVs, expiration dates, or cardholder names in any capacity, you must comply.

The standard is organized around six goals and twelve requirements. Each requirement contains specific sub-requirements and testing procedures. While the full standard is extensive, this checklist focuses on the elements most relevant to custom web application development.

The 12 PCI DSS Requirements Simplified for Developers

Requirement 1: Install and Maintain Network Security Controls

For web applications, this translates to properly configured firewalls, web application firewalls, and network segmentation. Your application should reside in a segmented network environment where the cardholder data environment is isolated from other systems. Implement strict inbound and outbound traffic rules that deny all traffic by default and only allow what is explicitly necessary.

Requirement 2: Apply Secure Configurations to All System Components

Never deploy applications with default credentials, sample data, or unnecessary services enabled. This includes removing default database passwords, disabling debugging modes in production, removing unnecessary PHP extensions or Node modules, and ensuring that server configurations follow hardening benchmarks. Document your secure configuration baseline and verify it before every deployment.

Requirement 3: Protect Stored Account Data

The simplest way to comply is to avoid storing cardholder data entirely. If your application must store card data, implement strong cryptographic controls using industry-accepted algorithms such as AES-256. Never store the full contents of any track data, CVV, or PIN. Implement data retention policies that automatically purge cardholder data when it is no longer needed for business purposes.

Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission

Enforce TLS 1.2 or higher for all transmissions of cardholder data across public and private networks. Configure your web server to reject weak cipher suites and protocols. Implement HTTP Strict Transport Security headers and ensure that your application never transmits sensitive data over unencrypted channels, including internal API calls within your infrastructure.

Requirement 5: Protect All Systems and Networks from Malicious Software

Deploy anti-malware solutions on all systems in the cardholder data environment. For web applications, this includes implementing file upload scanning, input validation to prevent malicious payloads, and regular vulnerability scanning of your application dependencies. Keep all system components patched and up to date.

Requirement 6: Develop and Maintain Secure Systems and Software

This is where custom web application development intersects most directly with PCI DSS. You must implement a secure software development lifecycle that includes security requirements in the design phase, code reviews, and security testing before release.

Secure Coding Practices for PCI Compliance

Requirement 6 deserves special attention because it defines how your development team writes and maintains code. The following practices should be embedded in your development workflow.

  • Input validation: Validate all user input on the server side. Never trust client-side validation alone. Use allowlists over denylists wherever possible and sanitize all data before processing or storage.
  • Parameterized queries: Use parameterized queries or prepared statements for all database interactions to prevent SQL injection. ORMs like Eloquent handle this automatically when used correctly, but raw queries must be parameterized explicitly.
  • Output encoding: Encode all output to prevent cross-site scripting attacks. Use context-appropriate encoding for HTML, JavaScript, CSS, and URL contexts.
  • Authentication controls: Implement multi-factor authentication for administrative access. Enforce strong password policies, account lockout mechanisms, and secure session management with appropriate timeout values.
  • Error handling: Never expose stack traces, database errors, or system information to end users. Implement custom error pages and log detailed error information server-side where it can be reviewed securely.
  • Dependency management: Regularly audit third-party libraries and frameworks for known vulnerabilities. Use tools like Composer audit and npm audit to identify and remediate vulnerable dependencies.

Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know

Implement role-based access control in your application. Users should only have access to the data and functionality required for their role. Administrative functions should be segregated from standard user functions, and access to cardholder data should be limited to the minimum number of individuals necessary.

Requirement 8: Identify Users and Authenticate Access to System Components

Assign unique identifiers to every user. Never use shared or generic accounts. Implement strong authentication mechanisms including password complexity requirements, session timeouts, and multi-factor authentication for all non-console administrative access and all remote access to the cardholder data environment.

Logging and Monitoring Requirements

Requirement 10: Log and Monitor All Access to System Components and Cardholder Data

Implement comprehensive logging that captures all access to cardholder data, all actions taken by any individual with administrative privileges, access to audit trails, invalid logical access attempts, and use of identification and authentication mechanisms. Logs must include user identification, event type, date and time, success or failure indication, origination of the event, and the identity or name of affected data or resource.

Store logs securely and protect them from tampering. Implement centralized log management and review logs daily. Automated alerting for suspicious activity is strongly recommended and required for certain event types under PCI DSS v4.0.

Requirement 11: Test Security of Systems and Networks Regularly

Conduct regular vulnerability scans using approved scanning vendors for external scans. Perform internal vulnerability scans quarterly and after any significant change. Penetration testing should be conducted annually and after significant infrastructure or application changes. Implement a process to address vulnerabilities identified during scanning and testing.

Network Segmentation Best Practices

While not a standalone requirement, network segmentation is referenced throughout PCI DSS and is the single most effective strategy for reducing your compliance scope. By isolating the systems that process, store, or transmit cardholder data from the rest of your network, you limit the number of systems that must meet PCI DSS requirements.

For custom web applications, this means deploying your payment processing components in a dedicated network segment with strict firewall rules governing traffic between segments. Your application's non-payment functions, development environments, and general corporate network should be segmented away from the cardholder data environment. Verify segmentation controls through penetration testing at least annually.

Requirement 12: Support Information Security with Organizational Policies and Programs

Maintain a comprehensive information security policy that addresses all PCI DSS requirements. Ensure that all personnel are aware of the policy and their responsibilities through regular security awareness training. Establish an incident response plan that is tested annually and updated as needed.

Applying This Checklist to Your Next Project

PCI compliance for custom web applications is not a one-time checkbox exercise. It requires ongoing vigilance, regular testing, and a development culture that prioritizes security at every stage. At Forth Media, we integrate PCI DSS requirements into our development lifecycle from day one, ensuring that compliance is built into the architecture rather than bolted on as an afterthought. If your organization is building or maintaining a custom application that handles payment data, we can help you navigate the technical requirements and build a solution that is both compliant and performant.

Back to Blog