PCI DSS 4.01 Annual Update for Developers

This course has been designed to help:

• Web Developers

• Technical QA Managers and Testers,

• Software Architects,

• Development Managers

Participants should have experience of data-driven web development in a language such as Java, C#, VB.NET, PHP - or be involved in the testing of web applications. Knowledge of JavaScript would also be useful.

This PCI DSS refresher course is available for private / custom delivery for your team - as an in-house face-to-face workshop at your location of choice, or as online instructor-led training via MS Teams (or your own preferred platform).

Get in touch to find out how we can deliver tailored training which focuses on your project requirements and learning goals.

PCI DSS Update / Refresher

• The importance of PCI DSS compliance

• High-level summary of changes and key goals of PCI DSS 4.0

Key Focus Areas of PCI DSS 4.0

• Flexibility for organisations

• Increasing focus on security over compliance

• Target risk-based approach

Secure Development Life cycle

• Exploring the real risk to your business - what's the worst that can happen?

• Analysing attack surface & Threat Modelling

• Tooling review

• Security testing

• Response Plan review

• Hands-on Session: Authentication and Multi-Factor Authentication (MFA) in PCI DSS 4.0

Overview of Authentication Changes

• Review of new authentication requirements.

• MFA: Why it's important and what’s new in PCI DSS 4.0

• Hands-On Lab

Encryption and Cryptographic Changes in PCI DSS 4.0

• Enhanced encryption and key management practices in PCI DSS 4.0.

• New cryptographic algorithms and minimum key length requirements.

• Hands-On Lab

• Implement encryption of data in transit and at rest following PCI DSS 4.0 recommendations.

• Review encryption protocols and update deprecated methods.

Securing Software Development: Addressing Secure Coding and Vulnerability Management

• Overview of new controls for secure software development lifecycle (SDLC) in PCI DSS 4.0.

• Key considerations for developers (threat modeling, secure code reviews).

• Hands-On Lab

• Reviewing code for security vulnerabilities.

• Best practices for patching and vulnerability management.

Logging and Monitoring Requirements in PCI DSS 4.0

• Changes to logging requirements (enhanced granularity, retention policies).

• Importance of real-time monitoring for detecting anomalies.

• Hands-On Lab

Testing and Validating Compliance: Ongoing Monitoring and Assessment

• Overview of new testing controls (e.g., regular penetration testing, phishing simulations).

• Continuous security testing approaches.

• Hands-On Lab

Wrap-up Discussion

• How developers can ensure their systems remain compliant in the future.

• Best practices for continuous assessment and audit readiness.

• Overview of OWASP Top Ten vulnerabilities (Web Application Security, APIs and more)

• PCI Security Standards Council Official Website: The governing body for PCI DSS, providing access to standards, resources, and programs. https://www.pcisecuritystandards.org/

• PCI DSS Document Library: Access the official PCI DSS standard document and supporting materials. (Requires free registration to download the full standard). https://www.pcisecuritystandards.org/document_library

• OWASP Top Ten 2021 Web Application Security Risks: The specific list of top web application security risks referenced in this course. https://owasp.org/www-project-top-ten/

• OWASP Application Security Verification Standard (ASVS): A comprehensive list of application security requirements that can be used to establish secure development standards. https://owasp.org/www-project-asvs/

• OWASP Cheatsheet Series: Provides concise, practical guidance on preventing common web application vulnerabilities through secure coding. https://cheatsheetseries.owasp.org/