PCI Requirement 6.5.9 – Cross-Site Request Forgery

by Randy Bartels / October 13th, 2017

What is Cross-Site Request Forgery?

PCI Requirement 6.5.9 states that your organization’s applications are protected from cross-site request forgery (CSRF). PCI Requirement 6.5.9 applies to all of your organization’s web applications, internal application interfaces, and external application interfaces. Web applications, the PCI DSS states, have unique security risks as well as relative ease and occurrence of compromise.

OWASP describes a CSRF as a type of attack that forces an end-user to execute unwanted actions on a web application in which they’re currently authenticated. The PCI DSS defines CSRF as, “…an attack forces a logged-on victim’s browser to send a pre-authenticated request to a vulnerable web application, which then enables the attacker to perform any state-changing operations the victim is authorized to perform (such as updating account details, making purchases, or even authenticating to the application).” You may be wondering what the difference is between cross-site scripting (XSS) and CSRF. While CSRF occurs in an authenticated session of a web application, XSS does not need authentication information to exploit a vulnerable web application.

Your policies and procedures related to application development should specifically address coding techniques that ensure applications do not rely on authorization credentials and tokens automatically submitted by browsers. To verify your compliance with PCI Requirement 6.5.9, an assessor will review your policies and procedures and interview the responsible personnel to ensure that your development process protects your applications from CSRF.

With cross-site request forgery, we have a malicious site that’s causing an end user’s browser to send a pre-authenticated request to send information to an attacker. As part of your development process, we need to test and make sure that your website is void of any cross-site request forgery.