The Payment Card Industry Data Security Standards, PCI DSS, is something that by now, even consumers are well aware of. Those six letters can mean the difference between millions in sales for some companies, or millions in losses and fines. On June 30, there is a new revision in the PCI DSS specs, and finally there are some teeth when it comes to web security. No longer will web application security testing be an afterthought, it will become a requirement.
Section 6.6 just got better. (IMG:J.Anderson)
PCI DSS is nothing new to retailers who process credit or debit card information. American Express Co., Visa International, MasterCard Worldwide, Discover Financial Services LLC, and Japan-based JCB International Credit Card Co. Ltd teamed up to create PCI DSS as a means to offer better security worldwide and to protect consumer information. Granted, there is also the offset of costs that PCI offers. This helps the credit companies and banks as well.
Section 6.6, is where all the joy comes from. This section says that companies who deal with credit or debit cards online must use an application layer firewall or have a complete website audit code review to remain PCI compliant.
“PCI DSS Requirement 6.6 provides two options that are intended to address common threats to cardholder data and ensure that input to web applications from untrusted environments is inspected “top to bottom.” The details of how to meet this requirement will vary depending on the specific implementation supporting a particular application. Forensic analyses of cardholder data compromises have shown that web applications are frequently the initial point of attack upon cardholder data, through SQL injection in particular,” The PCI Security Standards Council stated recently.
The code reviews done by, and, or with automated tools, obviously the best way to catch issues, will likely be the last option. With hardware application firewalls being the most cost effective solution, most companies will likely opt for this. However, unless those application appliances scan the site and detect issues ahead of time, then the code is still vulnerable.
The general thought is that by June 30, most of the companies who need it will fail to comply with section 6.6. The sad reality is the quick fix mentality will lead to many of the compliance issues, as application firewalls only place a Band-Aid on the gaping wound that is poor code development.
So will your website be compliant?
Some further reading:http://tinyurl.com/45op4z (PCI SSC supporting info on 6.6)
View blog reactions
Add your comment (no registration required)
page: 1
MikeJun 17th, 2008 - 05:14:01
Check out the latest blog post on PCIAnswers.com talking about PCI DSS Requirement 6.6.
Report this comment
Advertising
MikeJun 17th, 2008 - 05:14:01
Check out the latest blog post on PCIAnswers.com talking about PCI DSS Requirement 6.6.
Report this comment