Viewpoint: Use Consistently High Standards for Web Security

Article excerpt

This month the Payment Card Industry Data Security standard was updated for all organizations that handle credit card data. The revised standard, the first update to the almost two-year-old standard, offers mostly clarification but recommends that merchants and vendors take a closer look at application-layer security.

In addition, the five leading payment card brands announced the formation of the PCI Security Standards Council, which will ensure that the development of the standard is as efficient and effective as possible.

Customer trust is critical to a company's bottom line, particularly when it relies on e-commerce and online credit card transactions, and privacy and security issues are a real concern for today's consumer.

The original PCI documentation stated, "The most elusive vulnerabilities are those introduced through custom-developed e-commerce applications." Gartner Inc. has estimated that 75% of online attacks target Web applications specifically. As such, the revised standard offers more clarity around what is required for Web application security.

Section 11.3 has been revised to state that application-layer penetration tests should be performed at least annually and after any significant upgrade. These tests can be done internally using application-scanning software.

In addition, section 6.6, which has been added, recommends protecting all Web applications against known attacks through code review or firewalls. However, the documentation notes that both of these methods are considered best practices until June 30, 2008, after which they likely will become requirements.

Smart companies will use the revised standard as motivation for putting their entire security and privacy compliance programs in order. …