Web APIs threaten compliance because they expose back end systems and data to unknown third party applications, and security policies addressing compliance control objectives must evolve. Web API compliance risks include breaches of consumer identity data and theft of other confidential information. In the case of PCI DSS, for example, companies that do not secure their APIs face difficulty passing a compliance scan. Worse, they face major fines and liability in the event of a security breach caused by a deficiently controlled API.
This paper examines the implications of Web APIs on compliance, presents examples and recommends solutions.