Deadline arrives for latest PCI standard requirement

Share this article:
The Payment Card Industry Data Security Standard (PCI DSS), as of Monday, states that web application security testing be upgraded from a best practice to a requirement.

However, only a small number of companies are prepared for the deadline, said Joey Peloquin, senior security consultant for Hewlett-Packard, adding that had expected an increase in the inquiries regarding compliance, but that increase never happened.

“Companies had since September 2006 to prepare. That's when [the first version of PCI DSS] was officially released,” Peloquin told on Monday. “And Section 6.6 (as a best practice) was in that document.”

The DSS Section 6.6 states that companies will ensure that all web-facing applications are protected against known attacks by one of two methods: either reviewing custom application code for common vulnerabilities or installing an application-layer firewall in front of web-facing applications.
    “No enterprise that processes credit cards has an excuse for not meeting the requirements,” Peloquin said.

    Instead, he said, too many companies were avoiding the Section 6.6 best practices altogether.

    “They weren't taking it seriously, and many companies didn't even have it in their project plans for 2007 or 2008," Peloquin said. "They had almost two years to work on this, which was more than enough time.”

    Companies that aren't in compliance during the audit will risk fines and other losses that could reach into the millions of dollars, he said.

    “You don't want compliance to drive security,” he said.

    Instead, companies should consider implementing best practices with any new on-line procedure, he said.

    One theory Peloquin had for the apparent non-compliance was that companies assume there will be a grace period, but he doesn't believe that is going to happen, especially since the next version of the DSS is under development.

    “I expect the security standard to become even more stringent in the next version,” he said.

    Share this article:
    You must be a registered member of SC Magazine to post a comment.

    Sign up to our newsletters


    More in News

    Popular Science served up Rig Exploit Kit on its website

    The monthly science magazine served up malicious code to readers earlier this week and has remedied the issue.

    Deloitte releases paper on vetting leaks, avoiding costly hoax

    Deloitte releases paper on vetting leaks, avoiding costly ...

    The research presents techniques for distinguishing legit data leaks from false claims.

    Attack on White House systems breached unclassified networks

    The White House experienced a sustained cyberattack on its systems that impacted its network for nearly two weeks.