Following the release of PCI DSS v3.0 in November 2013, both the PCI SSC and Visa Europe sought to clarify the validation and reporting requirements for the e-commerce payment channel.The guidance from the PCI SSC (May 2014) and guidance from Visa Europe (July 2014) made it clear that either a full redirect or iframe method containing a hosted payment page (

NCC Group has published some guidance for finance/e-commerce application penetration testers.Common Security Issues in Financially-Oriented Web Applications is arranged in the following sections:Time-of-Check-Time-of-Use (TOCTOU) and race condition issuesParameter manipulationReplay attacks (capture-replay)Rounding issuesNumerical processingCard number-relat

Lots happening this week. The Payment Card Industry Security Standard Council (PCI SSC) has announced the release of an update to the PCI Data Security Standard (PCI DSS).PCI DSS v3.1 (15 April 2015), includes several changes to reflect changing threats and recently discovered vulnerabilities, but also including some clarifications and additional guidance.Th

The Financial Fraud Action UK (FFA UK) has published its latest figures about financial fraud in the UK.e-commerce card fraud losses increased from £190.1m in 2013 to £217.4m in 2014 — a 14 per cent riseIn a news release published at the end of March, the FFA UK states the increase is primarily due to a change in tactic by fraudsters who are deceiving custom

The Payment Card Industry (PCI) Security Standards Council (PCI SSC) has published another information supplement for PCI Data Security Standard (PCI DSS), this time on penetration testing. It would appear there has been a large variability in penetration tests being undertaken for PCI DSS.Information Supplement: Penetration Testing Guidance, v1 March 2015,

Verizon has published its annual PCI Compliance Report 2015 covering data up to the end of 2014, describing compliance, the sustainability of controls and ongoing risk management.PCI Compliance Report 2015 analyses information from PCI Data Security Standard (PCI DSS) assessments undertaken by Verizon between 2012 and 2014, together with additional data from

Personalised greetings card service Moonpig was all over the popular news yesterday.Paul Price found an exploitable weakness in Moonpig's public API and contacted them in August 2013, and again a year later. Eventually he gave up and published details on Monday.Following much Twitter activity, yesterday Moonpig tweeted:We are aware of claims re customer data

Lancaster-based apartment booking company Worldview Limited has been fined under the Data Protection Act for allowing unauthorised access to customers' details. The company operates under two UK brands, Citybase Apartments and Central London Apartments.Although customers' payment details had been encrypted, the means to decrypt the information - known as the

The announcement last week by researchers from Newcastle University about a problem with Visa's contactless cards reminded me to mention again commons issues with checkout and payment functions in web and mobile applications.The Visa fault relates to not enforcing the same limits on transactions when using foreign currencies.The paper is being presented this

In a month's time we will probably be in full office party season. I have been preparing something fun to share and use, that is an awareness document for application security risks and controls.Snakes and Ladders is a popular board game, with ancient provenance imported into Great Britain from Asia by the 19th century. The original game showed the effects o

The chart detailing the most important guidance, standards, legislation and organisations that can influence mobile and web application development security and privacy in the UK has been comprehensively updated.Principal Influences on UK Applications is managed by me and published on my company's web site as a mind map diagram and text tree, together with a