May 16 2008

PCI deadline will not be met by most retailers

The PCI-DSS section 6.6 deadline of the 30th June is just over six weeks away, are you ready? If not then it maybe time to get the consultants in

After this date all merchants that accept payment card transactions will have to use either a specialised firewall to protect web applications or to have completed a web application software code review to ensure that any vulnerability is discovered and fixed

Latest comment from Gartner reveals that most of the analyst firm’s clients will not be ready to meet the PCI-DSS Section 6.6 deadline of 30th June. After this date all merchants that accept payment card transactions will have to use either a specialised firewall to protect web applications or to have completed a web application software code review to ensure that any vulnerability is discovered and fixed.

Even though these measures have been encouraged as best practice over the past 18 months, Gartner’s comments seem to point to the fact that many are still not in a position to adhere to this new regulation. Indeed, many appear to be still struggling with the exact actions they need to undertake, let alone to start putting them in place.

Information security consultancy dns (www.dns.co.uk) believes that even retailers that have started the process are in many cases looking for a quick fix solution, focusing on installing web application firewalls, instead of undertaking the full code review. This obviously will bring them in line with current regulation, but still leaves them exposed not only to further, enhanced regulation, but also to attack, with flaws in application software still vulnerable.

With so many retailers struggling to meet the deadline in just over a month and half, what can they do to make sure that they do not fall foul of the regulation?

“With the deadline rapidly approaching retailers are going to be looking to bring in security policies quickly to ensure that they adhere to this regulation. But the PCI-DSS has been brought in for a reason, and unless companies fully understand the sensitive nature of the customer information they hold, the problems will continue and customer confidence will keep falling,” said Lee Lawson lead penetration tester at dns.

Lawson continues. “We have come across companies who are unsure of what steps they should be taking and so have left it until the last minute. They should not be looking for a quick fix in this case – it does not help the company long term as increased regulation is inevitable, and certainly does not help the customer if there are still flaws in existing applications, leaving sensitive information exposed.”

“If companies are unsure then they should perhaps look to bring in independent dedicated experts, to talk them through the process, advise on best practice and help to implement and monitor controls. Without this support, companies will continue to struggle after the 30th June with a detrimental effect on both security and customer confidence,” Lawson concluded.

by Marcus Austin (Web Editor)