Unauthenticated route returns PCI regulated data

Docs > Datadog Security > OOTB Rules > Unauthenticated route returns PCI regulated data

Description

The API allows unauthenticated users to access PCI regulated data, which may not be intended.

What are considered payment card industry (PCI) data?

It refers to any sensitive information associated with payment cards that must be protected under the PCI Data Security Standard (PCI DSS). The standard ensures that businesses handling payment data implement security measures to protect against fraud and breaches. This data includes credit cards, bank account numbers, security code (CVV/CVC), expiration date, etc.

Note: Datadog is only able to detect certain types of PCI data.

Rationale

This finding works by identifying an API that both:

Lacks an authentication mechanism.
Replies with or accepts requests containing one or more of the following:
- Credit Card Numbers (American Express, Mastercard, VISA, etc)
- International Bank Account Number (IBAN)

Remediation

Validate that the code isn’t expecting the user to be authenticated to have access to this resource (AuthN). In case this API it is in fact authenticated, ensure your code is instrumented correctly. Datadog auto-instruments many event types, review your instrumented business logic events.
Validate whether the API is intended to return PCI regulated data.

References

Reference	Description
OWASP - Authentication Cheat Sheet	Authentication Cheat Sheet: guidance on the best practices in the authentication area.