An Eye on the Regulatory Landscape

All organizations that protect, process, transmit or store payment card data must meet the Payment Card Industry Data Security Standards (PCI-DSS) and Payment Application Data Security Standards (PA-DSS).

Both standards require everyone involved in software development and maintenance to be familiar with common application vulnerabilities and secure coding practices, such as the OWASP Top 10 and the CWE/SANS Top 25.



SCIPP’s Secure Web Application Development Awareness (SWADA) program was specifically designed to meet these requirements.

SWADA reviews threats at each stage of the Software Development Life Cycle (SDLC) and best coding practices that can be used to prove compliance to auditors, clients and PCI/PA-DSS examiners.

If you use outside IT vendors or contractors, SWADA training should be a condition of doing business with your organization. Some of the largest data breaches to date have originated through IT contractors and third party applications.

PCI-DSS Requirement 6.5

(Payment Card Industry Data Security Standard)

Develop all web applications based on secure coding guidelines, such as the Open Web Application Security Project (OWASP) Guidelines. Review custom application code to identify coding vulnerabilities in software development processes.

Read More

PA-DSS Requirement 5.2

(Payment Application Data Security Standard)

Develop all web payment applications (internal and external), based on secure coding guidelines such as the OWASP Guide. More…

Read More

OCC Bulletin 2008-16 Guidance

(Office of the Comptroller of the Currency)


All applications, whether internally developed, vendor-acquired, or contracted for, should be subject to appropriate security risk assessment and mitigation processes.”

Read More