PCI DSS CWE Coverage

Overview

The Payment Card Industry Security Standards Council (PCI SSC) plays a crucial role in application security for organizations that handle payment card data.
The PCI SSC is responsible for developing and maintaining the Payment Card Industry Data Security Standard (PCI DSS). This standard is designed to ensure that companies accepting, processing, storing, or transmitting credit card information maintain a secure environment.

This article organizes Common Weakness Enumerations (CWEs) relevant to PCI DSS.
Each row in the table below outlines a specific compliance standard, categorized by the following columns:

Compliance Standard: The specific category of the standard to which the CWE is mapped.
Languages: Supported programming languages.
CWE-ID: The relevant CWE for this standard, along with a short description.

PCI DSS CWE Coverage

Compliance Standard	Languages	CWE-ID
6.5.10: Broken Authentication and Session Management	C# Gen 2 JavaScript / TypeScript Gen 2 PHP	CWE-384: Session Fixation CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
6.5.1: Injection Flaws	ABAP ASP Classic/Visual Basic/VBScript Apex C# C# Gen 2 C/C++ (Beta) Cobol ColdFusion Go Groovy Java Java Gen 2 JavaScript / Node.js JavaScript / TypeScript Gen 2 Kotlin Kotlin Mobile PHP PLSQL Python Python Gen 2 R Ruby TypeScript VB.Net Xamarin (C#)	CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') CWE-611: Improper Restriction of XML External Entity Reference CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection') CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine
6.5.2: Buffer Overflows	C/C++ (Beta) Cobol	CWE-121: Stack-based Buffer Overflow
6.5.3: Insecure Cryptographic Storage	ASP Classic/Visual Basic/VBScript Android Java Apex C# C# Gen 2 Go Groovy Java Java Gen 2 JavaScript / Node.js JavaScript / TypeScript Gen 2 Kotlin Kotlin Mobile PHP Python Python Gen 2 R Ruby Swift TypeScript VB.Net Xamarin (C#) iOS Objective-C	CWE-321: Use of Hard-coded Cryptographic Key CWE-325: Missing Cryptographic Step CWE-326: Inadequate Encryption Strength CWE-327: Use of a Broken or Risky Cryptographic Algorithm CWE-328: Use of Weak Hash CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) CWE-780: Use of RSA Algorithm without OAEP CWE-798: Use of Hard-coded Credentials CWE-916: Use of Password Hash With Insufficient Computational Effort CWE-1204: Generation of Weak Initialization Vector (IV)
Cross-Site Scripting (XSS)	JavaScript / Node.js JavaScript / TypeScript Gen 2 TypeScript	CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Access Control	ABAP ASP Classic/Visual Basic/VBScript Apex C# C# Gen 2 C/C++ (Beta) ColdFusion Go Groovy Java Java Gen 2 JavaScript / Node.js JavaScript / TypeScript Gen 2 Kotlin Kotlin Mobile PHP PLSQL Python Python Gen 2 R Ruby TypeScript VB.Net Xamarin (C#)	CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-918: Server-Side Request Forgery (SSRF)