Breadcrumbs

PCI DSS CWE Coverage

Overview

The Payment Card Industry Security Standards Council (PCI SSC) plays a crucial role in application security for organizations that handle payment card data.
The PCI SSC is responsible for developing and maintaining the Payment Card Industry Data Security Standard (PCI DSS). This standard is designed to ensure that companies accepting, processing, storing, or transmitting credit card information maintain a secure environment.

This article organizes Common Weakness Enumerations (CWEs) relevant to PCI DSS.
Each row in the table below outlines a specific compliance standard, categorized by the following columns:

  1. Compliance Standard: The specific category of the standard to which the CWE is mapped.

  2. CWE-ID: The relevant CWE for this standard.

PCI DSS 4.0 CWE Coverage

Compliance Standard

CWE-ID

6.2.4

  • CWE-325: Missing Cryptographic Step

  • CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

  • CWE-780: Use of RSA Algorithm without OAEP

6.2.4: Attack on data structure

  • CWE-400: Uncontrolled Resource Consumption

  • CWE-415: Double Free

  • CWE-416: Use After Free

  • CWE-789: Memory Allocation with Excessive Size Value

  • CWE-1333: Inefficient Regular Expression Complexity

6.2.4: Attacks on access control mechanisms

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-59: Improper Link Resolution Before File Access ('Link Following')

  • CWE-73: External Control of File Name or Path

  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-208: Observable Timing Discrepancy

  • CWE-250: Execution with Unnecessary Privileges

  • CWE-256: Plaintext Storage of a Password

  • CWE-260: Password in Configuration File

  • CWE-732: Incorrect Permission Assignment for Critical Resource

  • CWE-798: Use of Hard-coded Credentials

6.2.4: Buffer overflow - attack on data structure

  • CWE-121: Stack-based Buffer Overflow

6.2.4: Business logic attacks

  • CWE-346: Origin Validation Error

  • CWE-434: Unrestricted Upload of File with Dangerous Type

  • CWE-472: External Control of Assumed-Immutable Web Parameter

  • CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

  • CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

  • CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

  • CWE-942: Permissive Cross-domain Security Policy with Untrusted Domains

  • CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

6.2.4: Cryptography usage

  • CWE-295: Improper Certificate Validation

  • CWE-297: Improper Validation of Certificate with Host Mismatch

  • CWE-312: Cleartext Storage of Sensitive Information

  • CWE-321: Use of Hard-coded Cryptographic Key

  • CWE-326: Inadequate Encryption Strength

  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm

  • CWE-328: Use of Weak Hash

  • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  • CWE-347: Improper Verification of Cryptographic Signature

  • CWE-916: Use of Password Hash With Insufficient Computational Effort

  • CWE-1204: Generation of Weak Initialization Vector (IV)

6.2.4: CSRF - business logic attacks

  • CWE-352: Cross-Site Request Forgery (CSRF)

6.2.4: Deserialization - attack on data structure

  • CWE-502: Deserialization of Untrusted Data

6.2.4: Injection

  • CWE-15: External Control of System or Configuration Setting

  • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

  • CWE-94: Improper Control of Generation of Code ('Code Injection')

  • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

  • CWE-114: Process Control

  • CWE-117: Improper Output Neutralization for Logs

  • CWE-134: Use of Externally-Controlled Format String

  • CWE-611: Improper Restriction of XML External Entity Reference

  • CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')

  • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

  • CWE-943: Improper Neutralization of Special Elements in Data Query Logic

  • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

6.2.4: int overflow - attack on data structure

  • CWE-190: Integer Overflow or Wraparound

6.2.4: int underflow - attack on data structure

  • CWE-191: Integer Underflow (Wrap or Wraparound)

6.2.4: NULL dereference - attack on data structure

  • CWE-476: NULL Pointer Dereference

6.2.4: OOB Read - attack on data structure

  • CWE-125: Out-of-bounds Read

6.2.4: OOB Write - attack on data structure

  • CWE-787: Out-of-bounds Write

6.2.4: SSRF

  • CWE-918: Server-Side Request Forgery (SSRF)

6.2.4: Unsafe input validation - attack on data structure

  • CWE-20: Improper Input Validation

6.2.4: XSS - business logic attacks

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.3.2

  • CWE-1104: Use of Unmaintained Third Party Components

PCI DSS 3.2 CWE Coverage

Compliance Standard

CWE-ID

6.5.10: Broken Authentication and Session Management

  • CWE-384: Session Fixation

  • CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

6.5.1: Injection Flaws

  • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

  • CWE-94: Improper Control of Generation of Code ('Code Injection')

  • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

  • CWE-611: Improper Restriction of XML External Entity Reference

  • CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')

  • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

  • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

  • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

6.5.2: Buffer Overflows

  • CWE-121: Stack-based Buffer Overflow

6.5.3: Insecure Cryptographic Storage

  • CWE-256: Plaintext Storage of a Password

  • CWE-321: Use of Hard-coded Cryptographic Key

  • CWE-325: Missing Cryptographic Step

  • CWE-326: Inadequate Encryption Strength

  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm

  • CWE-328: Use of Weak Hash

  • CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

  • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  • CWE-780: Use of RSA Algorithm without OAEP

  • CWE-798: Use of Hard-coded Credentials

  • CWE-916: Use of Password Hash With Insufficient Computational Effort

  • CWE-1204: Generation of Weak Initialization Vector (IV)

6.5.9: Cross-Site Request Forgery (CSRF)

  • CWE-352: Cross-Site Request Forgery (CSRF)

Cross-Site Scripting (XSS)

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Improper Access Control

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-918: Server-Side Request Forgery (SSRF)