While many developers are lucky to work on systems that don’t take online payment, nearly every application developer needs to deal with sensitive data at some level. While your application may not be as attractive to hostile parties, it is unlikely that there is nothing of value in your application. If you are stuck with dealing with online payments, you are probably already well aware that there are a LOT of stringent requirements when you are dealing with credit card data, no matter what country you are in. While we are talking about PCI DSS requirements, which are specific to the United States, you’ll find that these requirements are common across many countries. After all, best practices are generally applicable – that’s part of the way they become best practices.
You’ll also notice that a lot of this has very little to do with code. There’s a reason for this – it takes more than just code to protect a system. In fact, one could reasonably argue that code is a tiny slice of what is required to actually protect sensitive data. There is a lesson in here for all of us who deal with sensitive data as part of our job responsibilities – none of OUR stuff works if the rest of the system isn’t set up well from a security perspective.
PCI compliance is not easy – in fact, there is a huge industry around making it possible for companies to secure their payment processing systems. It’s possible on your own systems as well. While you still need to have real security professionals assessing the security system, there is plenty of work to do for an enterprising software developer. Best of all, if you can understand WHY these security precautions are in place, you will tend to write more secure code. Even if you aren’t actively involved in securing a system yourself, understanding the guidelines required for PCI compliance will help you secure other important systems as well.