Few expected to make PCI deadline for web app security

Retailers covered by the Payment Card Industry data security standard (PCI-DSS) have just about a month and a half left to comply with new requirements for protecting web applications.


Retailers covered by the Payment Card Industry data security standard (PCI-DSS) have just about a month and a half left to comply with new requirements for protecting web applications.

But as with previous PCI-related deadlines, this one appears destined to pass with a majority of merchants unlikely to be in full compliance.

After 30 June, all merchants accepting payment card transactions will be expected to either use a specialised firewall for protecting their web applications or to have completed a web application software code review for finding and fixing vulnerabilities in these applications.

Companies that fail to implement either measure will be deemed to be out of compliance with PCI starting 30 June.

"Most of our clients are not going to be ready," by that deadline, said Aviva Lintan, an analyst at Gartner. "We are amazed at how many companies are still only learning their way around the requirements" and what they call for, Litan said.

With the deadline fast approaching, though, Gartner has seen an uptick in the number of calls it is receiving from clients wanting to know more about the new controls and how to implement them, Litan added.

Section 6.6 of the new PCI requirements (download PDF) basically requires merchants to ensure that all web-facing applications are protected against known attacks by applying either an application firewall or by completing an application code review - either manually or by using application scanning tools. The requirements have been recommended best practice for more than 18 months but are now becoming a formal mandate.

According to Litan, many of Gartner's clients are choosing to deploy web application firewalls instead of going the code review route.
"They are looking for quick fixes. Application firewalls are quick fixes" compared to finding and fixing flaws in application software, she said.

However such firewalls alone are not enough in the long run, she added: "Application firewalls are a reactive measure. You have a lot of vulnerable applications that still need to be fixed."

As a result, companies that want to really secure their web application environments will need to think beyond PCI compliance. Scanning for and fixing vulnerabilities in web applications "should be given priority over the use of web application firewalls, which should be used in addition to, not instead of," code reviews, she said.

Under 6.6, companies that choose to implement application firewalls need to ensure that the technology is deployed in full blocking mode, said Jeremiah Grossman, chief technology officer and founder of WhiteHat Security. Doing that effectively requires merchants to invest a substantial amount of time tweaking their firewalls to ensure that only malicious content is blocked, while letting legitimate traffic in.

There is a learning process involved in doing this that can take anywhere from three to six months - which, he noted, many companies may not be aware of or budgeting for.

There may be a similar disconnect over what the code-review component really means, Grossman said. Companies that choose to do a code review will need to make sure that that they are not just identifying the vulnerabilities in their software but are actually going out and fixing them, which can be a time consuming process, he said.

"Recommended For You"

Visa warns merchants who don't meet PCI deadline Confused companies get checklist for PCI standard compliance