PCI Compliance for APIs

Enable secure, convenient payments.

Web and mobile technologies have created remarkable opportunities for retailers and financial services organizations to provide consumers with convenient, on-the-go payment options. The API is the key technology that enables these opportunities by making it possible to open the backend systems that power payment card networks to Web apps and mobile devices.

To protect sensitive cardholder data, payment APIs must meet the industry’s most important security standards. The Payment Card Industry—Data Security Standard (PCI-DSS) is a vital set of security requirements and standards established by the likes of Visa, MasterCard and American Express for organizations that deal with credit card information.

While properly implementing all of the requirements laid out in the PCI-DSS standard for each of your APIs that handle cardholder data can grant you PCI compliance status, compliance does not necessarily mean your cardholder data is protected. To prevent data breach incidents involving cardholder data, the strongest possible implementation of the PCI-DSS standard is required.

EBook: 5 Simple Strategies for Securing APIs

Simplify strong PCI-DSS deployment.

PCI-DSS outlines how encryption and tokenization can be used to make cardholder data unusable, should it fall into the wrong hands. However, the strategies outlined in the standard present a number of significant implementation challenges for organizations that publish payment APIs:

  • Building encryption or tokenization into APIs often needs to be supported by additional coding or maintenance.
  • Both SSL and message-level encryption are computationally expensive and will often require upgrades to hardware in order to realize satisfactory performance.
  • Implementing, securing and governing a PKI system that can store private keys, provision new key pairs and manage role-based user access can be complex.
  • Tokenization is a newer technology with evolving standards, so there is no guarantee that what you implement today will be approved for PCI compliance tomorrow.

CA API Gateway can be deployed as a hardware appliance that offloads processor-intensive tasks to address all of these challenges. It can be used as an integral part of a PCI-compliant system–acting as a centralized, flexible policy enforcement point able to keep cardholder data highly secure over the long term.

Solution Brief: Ensuring PCI Compliance with APIs

Powerful PCI-complaint security functionality.

CA API Gateway technology has achieved the highest possible security certifications, including Common Criteria (an international standard for computer security required by many countries’ governments). CA API Gateway provides message-level encryption via a PKI engine and delivers FIPS 140-2 Level 3 SSL communications for all incoming and outgoing message traffic, ensuring encryption at both transport and message layers.

As a result, even if a breach of security occurs and data is removed from the gateway, it will remain encrypted and secure. Access to keys and encrypted audits is fully controlled via an integrated role-based access control (RBAC) system.

CA API Gateway also features extensive threat and intrusion protection at the transport and message levels. It ships with a minimal-install, hardened operating system coupled with a strictly configured firewall, ensuring only the ports required for message traffic are open.

Out-of-the-box threat protection assertions enables users to create policies that guard against SQL and LDAP injection, code injection, CSRF and message structure attacks, as well as viruses and replay attacks. This ensures that the gateway is properly protecting backend services from a variety of threats and malicious traffic.

Data Sheet: CA API Gateways

Learn more about this solution

Visit the CA API Gateway page >

Video

CA API Management Overview

Secure and manage APIs for partner, developer, mobile and cloud access.

CA API Management Overview

Analyst Report

The Forrester Wave: API Management Solutions, Q3 2014

Read a detailed evaluation of top API management vendors.

The Forrester Wave: API Management Solutions, Q3 2014

Data Sheet

CA API Management Suite

Make API-based information sharing safe reliable and cost-effective.

CA API Management Suite