Payment card security standard tightened

Changes to the Payment Card Industry Data Security Standard (PCI DSS) will force retailers and businesses taking online credit card information to tighten the security of their web applications.

Requirement 6.6, added to the standard, is due to come into force on 30 June to address concerns that web applications are commonly used by hackers to access confidential credit card data.

From that date, businesses taking credit card transactions over the web will either have to run manual or automated reviews of the web application code and security scans to ensure compliance, or install a web application firewall to protect against hackers.

One blog posting on how universities that take credit card payments would cope, warned that supporting Requirement 6.6 would be expensive. "Tech folks report that the type of application firewall we need could be fairly pricey and that the annual licence/maintenance fees are even worse."

Another blogger warned that the code review approach could also be very costly. "The code review is no piece of cake. The reviewer needs to be qualified, independent of the original code development, and should also be familiar with the application's business purpose/need."

Tessa Kelly, director of business administration at the British Retail Consortium, said, "PCI DSS is very US-centric. It does not take into account the standards, like chip and Pin, we have in the UK."

Veracode, a company that provides an outsourced software testing service, has seen increasing demand because of Requirement 6.6. Veracode user Delta Air Lines has used the service to help it conform with Requirement 6.6.

Matthew Moynahan, president and CEO of Veracode, said, "One-third of our customers are using the Veracode service for testing compliance of their web software with Requirement 6.6."