Retailers Face Deadline for Securing Web-facing Applications

By Matthew Harwood

Retailers that accept payment cards, credit or debit, have until the end of day to comply with a new regulation aimed at protecting consumers’ personal information from hackers and other malicious web-based attacks.

 As part of the Payment Card Industry Data Security Standard (PCI DSS), the new requirement mandates that all retailers and payment card processors’ web-facing applications be protected from known attacks such as cross-site scripting, denial of service attacks, buffer overflows, and other vulnerabilities.

This new mandate is just one part of the 12 requirements that retailers and processors must fulfill to become certified as compliant with the standard. The standards were created by the five major payment card brands—American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.—to enhance payment account security.

Retailers can satisfy the new mandate two ways. The first option is to install a web application firewall in front of all web-facing applications. The second option is to do a complete source code review.

There are many ways for retailers or processors to comply with the requirement if they choose to do a source code review.

Retailers and processors can choose between manual or automated source code review or settle on either a manual penetration application level test or an automated web application scanning tool, says Sumedh Thakar, PCI solutions manager for Qualys, a scanning vendor approved by the PCI Security Standards Council, an independent and global organization that manages the standard.

Retailers that want to quickly comply with the new requirement will probably opt to install a web application firewall, believing that once they install a firewall they’ve satisfied the standard and then forget about it. They’re wrong, says Thakar.

The council, he says, has already released a listing of capabilities that a web application firewall should have and it also requires that the firewall be configured properly. It’s not an out-of-the-box solution.

Michael Weider, director of security solutions for IBM Rational, recently wrote in an article for SM Magazine that a “web application firewall is putting a band-aid on the application and is not a comprehensive approach to finding and mitigating vulnerabilities.”

The sophisticated choice for retailers and vendors serious about security is a source code review, says Thakar.

Each card brand ultimately determines if a retailer or processor is compliant and when they’re not, they have the authority to levy fines or take away the ability of a retailer or processor to accept payment card transactions.

The requirement was previously considered a best practice when the first version of the PCI DSS was released in September 2006. Anyone that accepts or processes payment cards then had 18 months to get on the right side of the standard.

Glenn Boyet, director of marketing and communications for the PCI Security Standards Council, said the mandate wasn’t initially a requirement to give “people leeway to get these things in order.”

“If you made it a mandate on day one, you would have a lot of folks that would be out of compliance immediately,” he added.

Despite an 18-month cushion, a recent article at said the requirement “appears destined to pass with a majority of merchants unlikely to be in full compliance.”

Large merchants, however, says Amer Deeba, chief marketing officer for Qualys, are fully aware of today’s deadline.

The real worry for the PCI Security Standards Council is small merchants, such as your pizza joint down the street that probably doesn’t take a large volume of payment card transactions. Boyet says the council has done a tremendous amount of outreach to make sure all merchants taking payment card transactions knew of today’s deadline.

Nevertheless, breaches among smaller merchants’ compliance don’t affect the marketplace as much as global retailers such as Wal-Mart.

“The smaller merchants are not the biggest risk though,” says Boyet. “[Cybercriminals] want to hit the large retailers of the world, places that are big operations.”

From December 2007 to March of this year, hackers stole 4.2 million credit and debit card numbers from Hannaford Supermarkets by using packet sniffers.

The negative fallout from large-scale breaches such as this one drive big retailers to make sure they are compliant, says Boyet.

“We are already seeing this with the initiation of class-action lawsuit against breached retailers,” he says. “What happens to your brand? The lack of trust. You lose revenue. You lose business. And if you’re a small business, you could literally go out of business.”

Thus, the PCI DSS is the proverbial thing that hurts at first, but is good for you in the end.

“[The standard] is a good framework so we can all feel safe online when we’re buying goods and making credit card transactions,” says Deeba.

Version 1.2 of the PCI DSS will be released this October, according to a statement of the PCI Security Standards Council. The new version, says the council, will be clearer, more flexible, and will address more new and evolving risks and threats than the previous version.


View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.