Are You Ready for the Next PCI Compliance Deadline?Analysts Say Many Merchants Will Miss June 30 Date for 6.6 Requirement
The deadline for compliance with the Payment Card Industry's Data Security Standard DSS (PCI-DSS) 6.6 requirement is June 30. This requirement describes security steps that are intended to address threats to web applications.
According to Bob Russo, general manager for the PCI Security Standards Council, forensic analyses of cardholder data compromises show that web applications are frequently an initial point of attack upon cardholder data. The Council crafted Requirement 6.6 to ensure web applications exposed to the public Internet are protected against the most common types of malicious input.
This requirement had been listed as a best practice since the launch of the DSS 1.1 in September of 2006, but as of June 30 becomes a requirement for all companies that accept credit card transactions. "We are confident that this lead time has been sufficient for most organizations to consider the mandatory implementation in June," Russo says.
But is that an accurate assessment? Gartner analyst Avivah Litan projects that only half of level one merchants (those that have more than 6 million credit card transactions per year) will be compliant with 6.6 by June 30.
"If past history is any indicator," Litan says, "maybe only 35-40 percent is more likely."
It always takes time to catch up with the changes, she explains, adding "A lot of retailers are getting burned out on PCI." Litan says Gartner has been getting a lot of calls on the requirement and compliance work, and observes that people are taking it very seriously.
A sense of "foot-dragging" on the part of companies is apparent to Matt Davis, principal at SecureState, an information and risk assessment firm in Cleveland, OH. "I have a feeling that most companies are behind. As we say all the time, no one does security until they have to ..."
What 6.6 is All About
Requirement 6.6 gives merchants and service providers two options to ensure that input to web applications from untrusted environments is fully vetted. Although the requirements mandate the use of either an in-depth application code review or a web application firewall, the standard recommends deploying both techniques.
Organizations electing to undergo an application review have four choices:
The second option of the new requirement requires organizations to deploy a web application firewall between the web server and end-point devices. This is in addition to requiring standard network firewalls typically placed on an enterprise network's perimeter. Gartner's security team recommends building security into the application when it is developed. "A firewall is not a bad idea, but it should be used in conjunction with secure applications," Litan says. "Companies should make sure their applications aren't vulnerable to start with. A firewall should be the last resort."
Why 6.6 Matters to Financial Institutions
Financial institutions need to be interested in companies meeting compliance with the new requirement, says Michael Gavin, a PCI security expert. "Financial institutions need to pay attention to this and take it seriously," he says. "Realize you're responsible for this information. The way fines are levied, the card companies assess the fines against the acquiring bank, not the retailer." It is the acquiring bank's responsibility to make sure the merchants are PCI-compliant.
Gavin stresses financial institutions need to take PCI compliance seriously. "Otherwise your name will be in headlines. It's not just the companies and service providers that are in the headlines."
As PCI compliance calls come into Gartner from merchants needing help, Litan says the majority of callers are interested in how they can limit their scope, and ask "How do I get out of this?" Outsourcing the compliance efforts to an information security company that does PCI compliance work is probably a good move for most companies, she advises. This allows them to focus on their core business.
The PCI Security Standards Council has an information supplement for Requirement 6.6, regarding application code review and application firewalls. The information supplement is available on the Council's website at https://www.pcisecuritystandards.org/tech/supporting_documents.htm.
"The Council is continually looking to provide the clearest guidance to all in the payments chain on implementing the PCI DSS," Russo says. "These periodic Information Supplements are created from the varied and critical industry feedback we continue to receive from our stakeholders and are designed to make it easier for organizations' PCI DSS projects."