Pci Dss: Data Exposure
PCI DSS — Security Requirements Mapping
| Article | Requirement | Security Category | CWE |
|---|---|---|---|
| Req. 2.2.7 | All non-console administrative access is encrypted using strong cryptography. | Encryption | CWE-319 |
| Req. 2.2.7 | All non-console administrative access is encrypted using strong cryptography. | Encryption | CWE-319 |
| Req. 4.2.1 | Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks. The protocol in use supports only secure versions or configurations and does not support fallback to, or use of, insecure versions, configurations, or cipher suites. | Encryption | CWE-319 |
| Req. 4.2.1 | Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. The encryption strength is appropriate for the encryption methodology in use. | Encryption | CWE-614 |
| Req. 4.2.1 | Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks. The protocol in use supports only secure versions or configurations and does not support fallback to, or use of, insecure versions, configurations, or cipher suites. | Encryption | CWE-319 |
| Req. 4.2.1 | Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. The encryption strength is appropriate for the encryption methodology in use. | Encryption | CWE-614 |
| Req. 6.2.4 | Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software, including but not limited to: injection attacks, attacks on data and data structures, attacks on cryptography usage, attacks on business logic including cross-site scripting (XSS) and cross-site request forgery (CSRF), and attacks on access control mechanisms. | Input Validation | CWE-942 |
| Req. 6.2.4 | Software engineering techniques or other methods are defined and in use to prevent or mitigate attacks on data and data structures, including attempts to manipulate buffers, pointers, input data, or shared data. | Property Authorization | CWE-915 |
| Req. 6.2.4 | Software engineering techniques or other methods are defined and in use to prevent or mitigate attacks on business logic, including attempts to abuse or bypass application features and functionalities through the manipulation of APIs, communication protocols and channels, client-side functionality, or other system/application functions and resources. | Bola Authorization | CWE-639 |
| Req. 6.2.4 | Software engineering techniques or other methods are defined and in use to prevent or mitigate attacks on access control mechanisms, including attempts to bypass or abuse identification, authentication, or authorization mechanisms, or attempts to exploit weaknesses in the implementation of such mechanisms. | Bfla Authorization | CWE-862 |
| Req. 6.2.4 | Software engineering techniques or other methods are defined and in use to prevent or mitigate attacks on access control mechanisms, including attempts to bypass or abuse identification, authentication, or authorization mechanisms. | Bfla Authorization | CWE-863 |
| Req. 6.2.4 | Software engineering techniques or other methods are defined and in use to prevent or mitigate attacks on access control mechanisms, including attempts to bypass or abuse identification, authentication, or authorization mechanisms. | Authentication | CWE-306 |
| Req. 6.2.4 | Software engineering techniques or other methods are defined and in use to prevent or mitigate attacks on access control mechanisms, including attempts to exploit weaknesses in the implementation of such mechanisms. | Authentication | CWE-287 |
| Req. 6.2.4 | Software engineering techniques or other methods are defined and in use to prevent or mitigate injection attacks, including SQL, LDAP, XPath, or other command, parameter, object, fault, or injection-type flaws. | Llm Security | CWE-1427 |
| Req. 6.2.4 | Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software, including but not limited to: injection attacks, attacks on data and data structures, attacks on cryptography usage, attacks on business logic including cross-site scripting (XSS) and cross-site request forgery (CSRF), and attacks on access control mechanisms. | Input Validation | CWE-942 |
Showing 15 of 44 mapped requirements
How PCI DSS Manifests in Data Exposure
PCI DSS Requirement 3 mandates protection of stored cardholder data, while Requirement 4 focuses on encrypting transmission of cardholder data across open, public networks. In the context of API data exposure, violations often occur when APIs inadvertently return sensitive payment information in responses, headers, or error messages. For example, an API endpoint designed to return user profile details might include a payment_method field containing the last four digits of a PAN (Primary Account Number) or even the full PAN if masking controls are absent. Attackers exploit this through unauthenticated or low-privileged access to enumerate user data, harvesting payment details for fraud.
A real-world pattern mirrors CVE-2021-44228 (Log4Shell) in spirit—though not identical—where insufficient input validation leads to data leakage. In APIs, this manifests as missing output encoding or improper filtering. For instance, a GET /users/{id} endpoint might return:
{
"id": 123,
"name": "John Doe",
"email": "john@example.com",
"payment_method": {
"type": "Visa",
"last_four": "1111",
"exp_month": "12",
"exp_year": "2025"
}
}While returning the last four digits may seem benign, PCI DSS considers any PAN fragment sensitive if combined with other data that could facilitate re-identification. More critically, if the API returns the full PAN due to a misconfiguration—such as a debug flag left enabled in production—it directly violates Requirement 3.2, which prohibits storing sensitive authentication data after authorization. Even transient exposure in API responses counts as a violation if not properly mitigated.
Another vector is excessive data exposure in error messages. An API might return a stack trace containing a database query with embedded cardholder data when a SQL injection attempt fails, violating Requirement 10.2 (tracking and monitoring all access to network resources and cardholder data). These exposure paths are often overlooked in traditional scanning but are critical for PCI DSS compliance.
Data Exposure-Specific Detection
Detecting PCI DSS-relevant data exposure in APIs requires scanning for patterns that indicate leakage of cardholder data or sensitive authentication details. middleBrick’s data exposure checks include regex-based scanning for PAN patterns (e.g., ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13}|3[0-9]{11}|6(?:011|5[0-9]{2})[0-9]{12})$), expiration dates, and service codes in API responses, headers, and error messages. It also scans for tokenized data that may be reversibly mapped to PANs, which still falls under PCI scope if the tokenization system is not properly isolated.
For example, when scanning an endpoint like GET /api/v1/payments/{id}, middleBrick analyzes the response body for any field matching PAN patterns. If a field named cardNumber returns a value like 4111111111111111, it flags this as a critical finding. Similarly, it checks response headers for inadvertent data leaks—such as X-Debug-Info: PAN=4111111111111111—which might appear in misconfigured logging middleware.
The scanner also tests for indirect exposure. Suppose an API returns a customer_vault_token that, when used in a subsequent call to a payment gateway, retrieves the full PAN. middleBrick flags this as a potential data exposure risk if the token is returned in an unauthenticated context, as it could be abused to exfiltrate cardholder data. This aligns with PCI DSS Requirement 3.5, which requires documenting and protecting all cryptographic key management processes—including tokens that effectively serve as keys to data.
To detect these issues, simply run: middlebrick scan https://api.example.com/payments. The tool returns a risk score (A–F) with a breakdown showing the data exposure category score, including specific findings like ‘PAN detected in response body’ or ‘Expiration date exposed in JSON payload’ with line-number context from the response.
Data Exposure-Specific Remediation
Remediating PCI DSS-related data exposure in APIs involves ensuring cardholder data is never transmitted unnecessarily and is always masked or encrypted when storage or transmission is required. The primary fix is to eliminate PAN and sensitive authentication data from API responses unless absolutely required for a legitimate business function—and even then, only in encrypted form.
Consider a Node.js/Express endpoint that incorrectly returns full card details:
app.get('/api/user/:id/payment', (req, res) => {
const payment = db.getPaymentByUserId(req.params.id);
res.json(payment); // Returns { card_number: '4111111111111111', cvv: '123', ... }
});
The remediation is to never return the full PAN, CVV, or PIN. Instead, return only a masked version or a reference token:
app.get('/api/user/:id/payment', (req, res) => {
const payment = db.getPaymentByUserId(req.params.id);
const safePayment = {
id: payment.id,
type: payment.type,
last_four: payment.card_number.slice(-4), // PCI DSS compliant masking
exp_month: payment.exp_month,
exp_year: payment.exp_year
// CVV and full PAN omitted
};
res.json(safePayment);
});
If the full PAN must be retained for backend processing (e.g., recurring payments), it should be tokenized using a PCI-compliant tokenization service, and only the token returned in API responses. The token must be cryptographically secure and non-reversible without access to the tokenization system, which must be isolated per PCI DSS Requirement 3.5.
Additionally, implement output encoding and response filtering to prevent data leakage via error messages. Use a middleware that catches exceptions and returns generic error messages:
app.use((err, req, res, next) => {
console.error(err); // Log internally for debugging
res.status(500).json({ error: 'Internal server error' }); // No stack traces or data
});
Finally, enforce encryption in transit using TLS 1.2 or higher (PCI DSS Requirement 4.1). Ensure your API server redirects HTTP to HTTPS and disables weak cipher suites. These controls collectively ensure that even if data is intercepted, it remains unreadable, and that cardholder data is not exposed via the API unauthenticated attack surface.