Deadline arrives for latest PCI standard requirement

Share this article:
The Payment Card Industry Data Security Standard (PCI DSS), as of Monday, states that web application security testing be upgraded from a best practice to a requirement.

However, only a small number of companies are prepared for the deadline, said Joey Peloquin, senior security consultant for Hewlett-Packard, adding that had expected an increase in the inquiries regarding compliance, but that increase never happened.

“Companies had since September 2006 to prepare. That's when [the first version of PCI DSS] was officially released,” Peloquin told on Monday. “And Section 6.6 (as a best practice) was in that document.”

The DSS Section 6.6 states that companies will ensure that all web-facing applications are protected against known attacks by one of two methods: either reviewing custom application code for common vulnerabilities or installing an application-layer firewall in front of web-facing applications.
    “No enterprise that processes credit cards has an excuse for not meeting the requirements,” Peloquin said.

    Instead, he said, too many companies were avoiding the Section 6.6 best practices altogether.

    “They weren't taking it seriously, and many companies didn't even have it in their project plans for 2007 or 2008," Peloquin said. "They had almost two years to work on this, which was more than enough time.”

    Companies that aren't in compliance during the audit will risk fines and other losses that could reach into the millions of dollars, he said.

    “You don't want compliance to drive security,” he said.

    Instead, companies should consider implementing best practices with any new on-line procedure, he said.

    One theory Peloquin had for the apparent non-compliance was that companies assume there will be a grace period, but he doesn't believe that is going to happen, especially since the next version of the DSS is under development.

    “I expect the security standard to become even more stringent in the next version,” he said.

    Share this article:

    Sign up to our newsletters

    More in News

    Cyber Command tests gov't collaboration in wake of attacks

    The two-week exercise, "Cyber Guard 14-1," was completed this month.

    Text message spammer settles charges filed by FTC

    Text message spammer settles charges filed by FTC

    Rishab Verma and his company agreed to settle charges filed by the FTC that Verma sent millions of spam text messages that deceitfully promised free merchandise.

    Rhode Island hospital to pay $150K for past data breach

    More than 12,000 patients' personal and health information was compromised in a breach at The Women & Infants Hospital of Rhode Island.