|
If your company stores or processes credit card information, you must be able to demonstrate compliance with the Payment Card Industry (PCI) Data Security Standards (DSS). These standards, created by representatives of the credit card companies, include requirements for security management, policies, procedures, network architecture, design, and other critical protective measures. They also include one very prescriptive requirement that goes into effect on June 30, 2008. Section 6.6 mandates that organizations secure all Web applications by conducting a code review or installing an application layer firewall. To date, companies have had a very difficult time passing the other parts of Section 6. They’ve also experienced a rising number of data breaches. Unless companies take 6.6 seriously,
PCI compliance failure rates, and data breaches, will continue to grow.
This white paper provides an overview of how best to pass Section 6.6, shares feedback from failed audits in 2006 and 2007, outlines the pros and cons of fixing the code versus installing an application firewall, and introduces Fortify’s Business Software Assurance solution, Fortify® 360, which delivers source code analysis, Web application testing, and application firewall technology.
In 2004, the major credit card companies developed the first integrated set of IT security standards for all online merchants. These standards were revised in 2006, and the PCI Council, an independent entity, was formed to manage and enforce these standards. The complete standards can be read at: https://www.pcisecuritystandards.org/tech/index.htm
In the newest revision (version 1.1), the PCI Council made several minor edits and added a new initiative. This new initiative — Section 6.6 — started as a best practice and became mandatory on June 30, 2008. This section reads:
“ Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:
• Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
• Installing an application layer firewall in front of web-facing applications”1
On April 22, 2008, the PCI Council released a supplement document to clarify this section.
The key points were:
• Automated source code analysis tools can be used to meet this requirement
• Automated Web application scanning tools can be used to meet this requirement
• If either of these tools are used, or an application firewall is deployed, they must be configured, set up, and managed appropriately
With the June 30, 2008, deadline passed, companies are quickly trying to address Section 6.6.
|
