Deadline arrives for latest PCI standard requirement

Share this article:
The Payment Card Industry Data Security Standard (PCI DSS), as of Monday, states that web application security testing be upgraded from a best practice to a requirement.

However, only a small number of companies are prepared for the deadline, said Joey Peloquin, senior security consultant for Hewlett-Packard, adding that had expected an increase in the inquiries regarding compliance, but that increase never happened.

“Companies had since September 2006 to prepare. That's when [the first version of PCI DSS] was officially released,” Peloquin told on Monday. “And Section 6.6 (as a best practice) was in that document.”

The DSS Section 6.6 states that companies will ensure that all web-facing applications are protected against known attacks by one of two methods: either reviewing custom application code for common vulnerabilities or installing an application-layer firewall in front of web-facing applications.
    “No enterprise that processes credit cards has an excuse for not meeting the requirements,” Peloquin said.

    Instead, he said, too many companies were avoiding the Section 6.6 best practices altogether.

    “They weren't taking it seriously, and many companies didn't even have it in their project plans for 2007 or 2008," Peloquin said. "They had almost two years to work on this, which was more than enough time.”

    Companies that aren't in compliance during the audit will risk fines and other losses that could reach into the millions of dollars, he said.

    “You don't want compliance to drive security,” he said.

    Instead, companies should consider implementing best practices with any new on-line procedure, he said.

    One theory Peloquin had for the apparent non-compliance was that companies assume there will be a grace period, but he doesn't believe that is going to happen, especially since the next version of the DSS is under development.

    “I expect the security standard to become even more stringent in the next version,” he said.

    Share this article:

    Sign up to our newsletters

    More in News

    Firefox 32 feature could cut undetected malware downloads 'in half'

    Mozilla plans to introduce a feature in Firefox 32 that, based on preliminary testing, could cut the amount of undetected malware downloads in half.

    EFF asks court to find NSA internet spying a violation of Fourth Amendment

    EFF asks court to find NSA internet spying ...

    Complete with a colorful graphic, the EFF showed a federal court how the NSA essentially runs a digital dragnet that can pick up innocent Americans.

    Study: Asian Android users at higher risk of malware exposure

    Cheetah Mobile's new study showed that Asian Android users have a two to three times greater risk of downloading malware onto their devices.