Web and mobile technologies have created remarkable opportunities for retailers and financial services organizations to provide consumers with convenient, on-the-go payment options. The API is the key technology that enables these opportunities by making it possible to open the backend systems that power payment card networks to Web apps and mobile devices.
To protect sensitive cardholder data, payment APIs must meet the industry’s most important security standards. The Payment Card Industry—Data Security Standard (PCI-DSS) is a vital set of security requirements and standards established by the likes of Visa, MasterCard and American Express for organizations that deal with credit card information.
While properly implementing all of the requirements laid out in the PCI-DSS standard for each of your APIs that handle cardholder data can grant you PCI compliance status, compliance does not necessarily mean your cardholder data is protected. To prevent data breach incidents involving cardholder data, the strongest possible implementation of the PCI-DSS standard is required.
PCI-DSS outlines how encryption and tokenization can be used to make cardholder data unusable, should it fall into the wrong hands. However, the strategies outlined in the standard present a number of significant implementation challenges for organizations that publish payment APIs:
CA API Gateway can be deployed as a hardware appliance that offloads processor-intensive tasks to address all of these challenges. It can be used as an integral part of a PCI-compliant system–acting as a centralized, flexible policy enforcement point able to keep cardholder data highly secure over the long term.
CA API Gateway technology has achieved the highest possible security certifications, including Common Criteria (an international standard for computer security required by many countries’ governments). CA API Gateway provides message-level encryption via a PKI engine and delivers FIPS 140-2 Level 3 SSL communications for all incoming and outgoing message traffic, ensuring encryption at both transport and message layers.
As a result, even if a breach of security occurs and data is removed from the gateway, it will remain encrypted and secure. Access to keys and encrypted audits is fully controlled via an integrated role-based access control (RBAC) system.
CA API Gateway also features extensive threat and intrusion protection at the transport and message levels. It ships with a minimal-install, hardened operating system coupled with a strictly configured firewall, ensuring only the ports required for message traffic are open.
Out-of-the-box threat protection assertions enables users to create policies that guard against SQL and LDAP injection, code injection, CSRF and message structure attacks, as well as viruses and replay attacks. This ensures that the gateway is properly protecting backend services from a variety of threats and malicious traffic.