0345 4506120

PCI DSS Secure Web App Development

This PCI DSS Training Course aims to address a significant requirement of the updated PCI DSS 3.0, which is to ensure that relevant training is given to any software developers involved in developing & maintaining such financial applications and services. The new Payment Card Industry Data Security Standard v. 3.0 deadline came into force on January 1, 2015.

If your web applications or systems have any involvement with processing or storing credit card data in any form, then the PCI DSS will almost certainly affect you. This still applies even if your web services / code is not financial by nature, but still resides on a shared resource which also stores or processes credit card data.

Security breaches and failures can lead to harsh penalties from member organisations (such as Visa and Mastercard), and the nature of the penalty depends on various factors such as the extent of non compliance with PCI data security standards found during a forensic investigation, and number of affected accounts / records breached

The PCI Data Security Standards draw heavily on the current OWASP Top Ten Web Application Security Risks.

These largely affect cross-platform web technologies, and as such our course can be suitable for anyone involved in web development; our hands-on exercises and code demonstrations are delivered with examples in ASP.NET (with VB.NET or C#) or Java, but we can tailor the course for on-site delivery and focus on your development language / platform of choice (PHP, HTML5, Python et al).

This course isn’t just about ticking boxes and jumping through hoops though – we aim to instill a good understanding of the importance of designing, developing and deploying secure web applications, and this course will be useful for any web developers who want to improve the robustness of their code.

We don't currently have any courses listed for PCI DSS Secure Web App Development, would you like to view all courses for Information & Cyber Security?

Learning Objectives

What you will learn

  • Payment Card Industry Data Security Standards for Software Development
  • Secure Development Lifecycle
  • OWASP Top 10 Threats with code examples
  • Crypto techniques
  • Fuzz testing


Experience of data-driven web development in a language such as Java, C#, VB.NET, PHP.

Knowledge of JavaScript would also be useful.

Course Content

Introduction to Security

What is Application Security and why does it matter?

Payment Card Industry Data Security Standards - PCI-DSS

  • Who / what is the PCI made up of?
  • What PCI DSSmeans to Software Developers
  • Ensuring compliance through design and coding Best Practises

SDL in depth

  • Analysing security and privacy risk
  • Attack surface analysis
  • Threat Modeling
  • Identifying the right tools
  • Enforcing banned functions
  • Static analysis
  • Dynamic / Fuzz Testing
  • Response Plan
  • Final Security Review

Hands-on with the OWASP 2013 Top 10 Web Application Security Risks

  • A1-Injection
  • A2-Broken Authentication and Session Management
  • A3-Cross-Site Scripting (XSS)
  • A4-Insecure Direct Object References
  • A5-Security Misconfiguration
  • A6-Sensitive Data Exposure
  • A7-Missing Function Level Access Control
  • A8-Cross-Site Request Forgery (CSRF)
  • A9-Using Components with Known Vulnerabilities
  • A10-Unvalidated Redirects and Forwards

Beyond OWASP

  • Data Protection Mechanisms (crypto and more)
  • Fuzz testing and other tools
  • Click jacking
  • Response Splitting
  • CWE/SANS Top 25 Most Dangerous Software Errors
  • Exploiting authentication
  • Language issues
  • Data devaluation
  • Tokenisation solutions
  • Auditing & Logging Solutions


  • Applying what you've learnt in the real world.
  • Understanding the business impact of insecure software (beyond just PCI compliance)

Privacy Notice

In order to provide you with the service requested we will need to retain and use your contact information in accordance with our Privacy Notice. If you choose to provide us with this information you explicitly consent to us using the information as necessary to provide the requested service to you. If you do not agree please do not proceed to request the service from us.

Marketing Permissions

Would you like to receive our newsletter and other information on products and services which we think will be of interest to you by email. We will always treat your information with care and in accordance with our Privacy Notice. You are free to withdraw this permission at any time.


Our Customers Include