Relaxation of PCI DSS is no surprise

The recent ease in requirements for UK retailers attempting to comply with the Payment Card Industry Data Security Standards (PCI DSS) did not surprise application security expert Fortify Software, which has raised concerns over the amount of companies struggling to meet the June 30 deadline.

Jacob West, Manager of the Security Research Group at Fortify Software, has made the following comments:

“When dealing with information as sensitive as credit card details, it is absolutely crucial that everything possible is done to ensure the complete protection of this data. As such, we applaud the PCI standard and its emphasis on self-regulation.

However, given the rush for businesses to comply with the PCI standard, particularly the requirement to maintain secure systems and applications, we’re concerned that some organisations won’t do as thorough a job as they should. To achieve meaningful compliance with PCI, organisations have to design, build, test, and deploy their credit card systems with security in mind from the very beginning.

We believe the PCI standard would be more effective – and that more companies would pass the PCI audit the first time – if it outlined specific steps necessary to implement a secure development lifecycle. Rather than alluding to industry best practices, we would like to see PCI mandate specific activities, such as architectural risk assessment, static source code analysis during development, security testing with specific measures of breadth and depth, and application-aware security defences applied to deployed applications.”