Deadline arrives for latest PCI standard requirement

Share this article:
The Payment Card Industry Data Security Standard (PCI DSS), as of Monday, states that web application security testing be upgraded from a best practice to a requirement.

However, only a small number of companies are prepared for the deadline, said Joey Peloquin, senior security consultant for Hewlett-Packard, adding that had expected an increase in the inquiries regarding compliance, but that increase never happened.

“Companies had since September 2006 to prepare. That's when [the first version of PCI DSS] was officially released,” Peloquin told SCMagazineUS.com on Monday. “And Section 6.6 (as a best practice) was in that document.”

The DSS Section 6.6 states that companies will ensure that all web-facing applications are protected against known attacks by one of two methods: either reviewing custom application code for common vulnerabilities or installing an application-layer firewall in front of web-facing applications.
    “No enterprise that processes credit cards has an excuse for not meeting the requirements,” Peloquin said.

    Instead, he said, too many companies were avoiding the Section 6.6 best practices altogether.

    “They weren't taking it seriously, and many companies didn't even have it in their project plans for 2007 or 2008," Peloquin said. "They had almost two years to work on this, which was more than enough time.”

    Companies that aren't in compliance during the audit will risk fines and other losses that could reach into the millions of dollars, he said.

    “You don't want compliance to drive security,” he said.

    Instead, companies should consider implementing best practices with any new on-line procedure, he said.

    One theory Peloquin had for the apparent non-compliance was that companies assume there will be a grace period, but he doesn't believe that is going to happen, especially since the next version of the DSS is under development.

    “I expect the security standard to become even more stringent in the next version,” he said.

    Share this article:
    You must be a registered member of SC Magazine to post a comment.

    Sign up to our newsletters

    TOP COMMENTS

    More in News

    ISSA tackles workforce gap with career lifecycle program

    ISSA tackles workforce gap with career lifecycle program ...

    On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

    Amplification DDoS attacks most popular, according to Symantec

    Amplification DDoS attacks most popular, according to Symantec

    The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

    Court shutters NY co. selling security software with "no value"

    A federal court shut down Pairsys at the request of the Federal Trade Commission.