Changes to thePayment Card Industry Data Security Standard (PCI
DSS)will force retailers and businesses
taking online credit card information to tighten the security of
their web applications.
Requirement 6.6, added to the standard, is due to come into
force on 30 June to address concerns that web applications are
commonly used by hackers to access confidential credit card
data.
From that date, businesses taking credit card transactions over
the web will either have to run manual or automated reviews of the
web application code and security scans to ensure compliance, or
install a web application firewall to protect against hackers.
One
blog posting on how universities that take credit card payments
would cope, warned that supporting Requirement 6.6 would be
expensive. "Tech folks report that the type of application firewall
we need could be fairly pricey and that the annual
licence/maintenance fees are even worse."
Another blogger warned that the code review approach could also
be very costly. "The code review is no piece of cake. The reviewer
needs to be qualified, independent of the original code
development, and should also be familiar with the application's
business purpose/need."
Tessa Kelly, director of business administration at the British
Retail Consortium, said, "PCI DSS is very US-centric. It does not
take into account the standards, like chip and Pin, we have in the
UK."
Veracode, a company that
provides an outsourced software testing service, has seen
increasing demand because of Requirement 6.6. Veracode user Delta
Air Lines has used the service to help it conform with Requirement
6.6.
Matthew Moynahan, president and CEO of Veracode, said,
"One-third of our customers are using the Veracode service for
testing compliance of their web software with Requirement 6.6."