TechLINKS - The Guide to Technology in Georgia
Login  |  Register

Community Publishing

Current Articles | Categories | Search | RSS Feeds | Create Article | Print

  Forward to a Friend
What You Need to Know About PCI Compliance and Web Application Security Policy Changes
By Michael Sutton on Wednesday, April 16, 2008

If you are a merchant that processes credit cards you are probably well aware of Payment Card Industry (PCI) compliance, but may not be sure how web application security fits into the picture, or some of the changes that will be made in the near future.

In June 2008, section 6.6 of the PCI compliance rules will go from “best practice” to “mandatory requirement.” This means that some businesses may have to reevaluate their web application security processes. If these security practices were handled from the start, as the applications were built, businesses would not be scrambling to add security to existing applications. Unfortunately, this is often not the case.

What PCI Compliance Means

As credit card use has become more widespread both offline and online, and as consumer concern about security has understandably grown, the credit card industries have made an effort to ensure that sensitive information is protected.

In September 2006, the major credit card companies (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) formed the PCI Security Standards Council (SSC) and established a set of rules for what they call PCI compliance. These rules have to be followed depending on the size of a business and the number of credit card transactions handled, and if done properly will help protect consumer data from theft.

The Rules for PCI Compliance

The six major categories within the standards established by the PCI SSC are as follows:

  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy

Within these six categories are 12 requirements that address particular issues and that are directly related to web application security:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update anti-virus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.

Each requirement for PCI compliance is broken up into a variety of subsections that go into detail about the process, and the full list can be viewed at www.pcicomplianceguide.org. Section 6.6 - the most important subsection regarding web application security because it is coming under scrutiny this year - states the following:

Ensure that web-facing applications are protected against known attacks by applying either of the following methods:

  • Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security.
  • Installing an application layer firewall in front of web facing applications.

As a result of this upcoming change, companies should have a game plan in place for web application security. Until now, companies may not have taken PCI compliance very seriously. No major fines have been levied for noncompliance so far and the entire process may have been seen as nonessential. But with this new change to 6.6, IT teams around the world are evaluating the strengths and weaknesses between web application firewalls, code reviews and application assessment software.

What It Means for Your Business

Many businesses and government organizations have historically focused their attention on network security rather than web application security, and it may seem that the June 2008 deadline is coming out of nowhere and that businesses will be scrambling to achieve PCI compliance. But businesses should have ensured that all of its web applications were secure from the beginning. PCI compliance shouldn't be viewed as a checklist, because then unreliable fixes may be applied to problems. Instead, web application security should be implemented within the web application itself. When web application security is implemented properly, the PCI compliance requirements related to web application security are automatically met.

As a result, the development and quality assurance (QA) teams at businesses need to be focused on web application security. Businesses may need to break their web applications down from the start, rather than trying to install patches and fixes for PCI compliance.

Section 11 of the guide could also cause problems in the near future. It states that security scans must be done on a regular basis. If web application security issues are not fixed internally, and patches have been installed as an afterthought, these scans could become quite a nightmare because they will identify hundreds of issues that will need to be fixed. It’s better to take the time to build in web application security measures and avoid this problem altogether.

Conclusion

After section 6.6 of PCI compliance becomes mandatory in June 2008, businesses that process credit cards will have to work harder to be PCI compliant, and evaluate their web applications very carefully. By ensuring that web application security is built from within, rather than by adding on fixes that will only work in the short term, businesses will find that not only are they compliant with one part of the PCI standards, but that they are compliant with all of them, and that customer data is secure across the board.


Michael Sutton
HP Software
hp@mediumblue.com
Page: 1 of 1
Previous Page | Next Page
Comments
Currently, there are no comments. Be the first to post one!
You must be logged in to post a comment. You can login here

Introduction

Sir Winston Churchill once said, "If you have knowledge, let others light their candles with it."

TechLINKS Community Publishers share their knowledge with the Georgia technology industry in order to help illuminate the many top-of-mind issues important to your business. Their community participation demonstrates the significant expertise and generosity contained within the Georgia technology industry.

Knowledge has no value when it is stored - it only has value when it is shared and applied. We know that businesses, educational institutions and government agencies sit upon rich veins of untapped information.

Community Publishing's mission is to tap into and release that knowledge to Georgia's technology community.

We encourage you to read the following articles on our website. To create and submit your own article and join this growing, distinguished group, click on "Create Article."

Atlanta & Georgia Business Directory Categories

 | Atlanta HR Outsourcing : Atlanta Consultant | Atlanta Staffing Agency Recruiting Temporary Employment in Georgia GA | Atlanta Business and Professional Services | Atlanta Project Management Atlanta Consulting Market Research | Atlanta PC Consulting Atlanta Computer Service Network Security | Atlanta Web Site Design Ecommerce Internet Marketing | Atlanta Hosting Internet Service Provider & Dedicated Hosting | Atlanta Business Process Automation Quality Assurance Consulting | Atlanta Management Computer Training Continuing Education | Atlanta PC Consulting Computer Service Network Security | Atlanta Wireless Application VOIP Telecommunication | Data Recovery Atlanta IT Consulting IT Services Atlanta |