The Payment Card Industry Data Security Standard (PCI DSS), as of Monday, states that web application security testing be upgraded from a best practice to a requirement.
However, only a small number of companies are prepared for the deadline, said Joey Peloquin, senior security consultant for Hewlett-Packard, adding that had expected an increase in the inquiries regarding compliance, but that increase never happened.
“Companies had since September 2006 to prepare. That's when [the first version of PCI DSS] was officially released,” Peloquin told SCMagazineUS.com on Monday. “And Section 6.6 (as a best practice) was in that document.”
The DSS Section 6.6 states that companies will ensure that all web-facing applications are protected against known attacks by one of two methods: either reviewing custom application code for common vulnerabilities or installing an application-layer firewall in front of web-facing applications.
“No enterprise that processes credit cards has an excuse for not meeting the requirements,” Peloquin said.
Instead, he said, too many companies were avoiding the Section 6.6 best practices altogether.
“They weren't taking it seriously, and many companies didn't even have it in their project plans for 2007 or 2008," Peloquin said. "They had almost two years to work on this, which was more than enough time.”
Companies that aren't in compliance during the audit will risk fines and other losses that could reach into the millions of dollars, he said.
“You don't want compliance to drive security,” he said.
Instead, companies should consider implementing best practices with any new on-line procedure, he said.
One theory Peloquin had for the apparent non-compliance was that companies assume there will be a grace period, but he doesn't believe that is going to happen, especially since the next version of the DSS is under development.
“I expect the security standard to become even more stringent in the next version,” he said.