|
In custom application development in particular, organizations struggle with integrating security throughout each phase of the development lifecycle, and producing audit reports that demonstrate the status of PCI compliance in both in-house and outsourced systems. Addressing these challenges will require a combination of the right process, the right skills, and the right tools. It is vital that organizations subject to the PCI requirements start on this initiative immediately. Says John Pescatore of Gartner, “The rapid rise of targeted threats makes increased application security something enterprises should focus on today.”
PCI’s Global Impact
The pressure on organizations to comply with PCI standards is being felt worldwide, as global markets and transactions are predominant, and the impact of data security breaches transcends national borders. The card brands are global entities and as such are executing a worldwide rollout of the PCI compliance end enforcement schemes. American Express, for example, anticipates completing its worldwide rollout in 2008, according to Gartner.
That pressure is being felt among executives worldwide. A recent survey of European security professionals by Qualys and the Jericho Forum found that 74% of European senior security executives see the impact of payment card loss on brand reputation as their biggest concern. The same survey showed that Europeans need to catch up on with United States companies in the area of PCI compliance. Only 39% of Europeans are currently addressing PCI compliance versus 63% in the United States. While enforcement activities have been lagging outside of North American, the card companies will clearly be turning their attention to global markets during 2008, and legislation, country by country, will likely follow the pattern set in the United States and Canada, making disclosure mandatory when breaches occur. Security breach disclosure proposals being considered by the European community include a requirement that regulators are notified when a security breach takes place.
PCI Compliance: It’s not just for credit card companies anymore
The PCI DSS is demonstrably becoming a de facto standard of due care for any organization responsible for the privacy and integrity of data. As a result, state and federal lawmakers are incorporating similar standards into the development of data privacy legislation. The first step for many states has been requiring disclosure in the event of a breach, either upon access or potential exposure of the data, or in the event of a material exposure. Figure 1 below shows the preponderance of states that have some sort of regulation regarding breach disclosure.
Also on the rise is legislation addressing standards for data security modeled on the PCI and OWASP standards, as well as associated penalties for non-compliance, and rewards for compliance. One example is the state of Texas, which has a bill under consideration which would provide protection to organizations that demonstrate compliance with PCI DSS, and institute liability for card re-issuing fees to those who are not compliant. Organizations outside of financial services and retail are feeling increasing pressure from legislators, stockholders, press, and customers to take concrete steps to protect critical data from misuse or corruption. The coming years will likely continue the move towards a universally accepted standard of due care in data privacy.
Most companies have a fairly comprehensive security deployment in place, making use of firewalls, VPN, access control and encryption to safeguard their valuable assets. PCI DSS, however, takes a more holistic look at security, understanding that it is only through a defense-in-depth model of security that data assets can be most efficiently secured. With this view in mind, PCI is the first regulation to spell out the need for security rigor around the applications themselves.
Applications: A Potential Source of Security
The increased focus on application security in the latest revisions of the PCI DSS can be traced directly to many of the recent high profile breaches, where insecure applications have proved to be the point of access for hackers, and the source of data loss. An InformationWeek article emphasizes the threat due to software problems, stating that, “the steady stream of disclosures that customer information is being lost or stolen from retailers has caused security experts to focus on two areas: poor security practices by the retailers themselves and weaknesses in the software used to process credit-card payments."
|
