On June 30, another refresh of the Payment Card Industry (PCI) Data Security Standards (PCI DSS) will upgrade Web application security testing from a best practice to a mandatory practice. The deadline forces merchants and vendors to take a closer look at application-layer security and emphasizes its importance in fighting increasing online threats.
The Payment Card Industry Data Security Standards were developed by the five leading payment card brands – American Express Co., Visa International, MasterCard Worldwide, Discover Financial Services LLC, and Japan-based JCB International Credit Card Co. Ltd – now organized as the PCI Security Standards Council, to ensure the protection of consumer credit card information and to set a global standard for security.
Customer trust is critical to a company’s bottom line, particularly when the company relies on e-commerce and online credit card transactions, and privacy and security issues are a real concern for today’s consumer. In fact, it was the onslaught of highly publicized breaches and identity theft scams that prompted the credit card companies to establish the PCI Data Security Standards in the first place, as a means to protect card members’ confidential information.
The original PCI documentation stated that “the most elusive vulnerabilities are those introduced through custom-developed e-commerce applications.” Gartner Inc. has estimated that 75 percent of online attacks target Web applications, specifically. As such, the new PCI mandate recognizes the critical importance of securing applications in an effort to maintain a vulnerability management program by offering more clarity around what is required for Web application security compliance.
It mandates that all web applications are protected against known attacks by applying either application code review or a web application firewall. To further clarify the requirements, the PCI security Standards Council issued an addendum in April of this year explaining what qualifies as a code review: 1) manual review of application source code; 2) proper use of automated application source code analyzer (scanning) tools; 3) manual Web application security vulnerability assessment; or 4) proper use of automated Web application security vulnerability assessment scanning tools.
Finding and mitigating vulnerabilities is the greater goal of PCI’s Web application security initiative, as it acknowledges what security professionals have known for a long time – security needs to be addressed from the very beginning. This is most adequately achieved through implementing both code review and a Web application firewall. Vulnerabilities must be identified early on, as it’s too late to address them once an application has been deployed.
As PCI recommends, the use of automated scanning tools makes it possible to test for security from the very beginning and continually throughout the software development lifecycle, preventing vulnerabilities from turning into threats. Dealing with the root of the problem by embedding security analysis into the lifecycle of an application will not only guarantee improved security but it will save your organization time and money.
Smart companies will use the latest PCI upgrade as the motivation for putting their entire security and privacy compliance programs in order, building in security assessment from the ground up. Complying once and then forgetting about it until the next audit is bad practice. To successfully drive more business through the online channel, organizations cannot ignore Web privacy and application security. Only through a combination of dedication, education, business process improvement and risk management technology will firms be able to properly protect and control the online channel.
Meeting the PCI requirements for Web application security by employing code review and a Web application firewall is a great starting point, but to fully protect consumer data and implement a comprehensive online risk management strategy, organizations must also enforce policies that include ongoing compliance monitoring procedures.
Consider these recommendations:
- Educate consumers about the dangers of online scams and alert them to threats such as phishing, key logging and pharming. The more knowledgeable customers are to online scams, the less fearful and vulnerable they will be.
- Offer privacy and security guarantees to customers in the event of fraud or identity theft. Prominently highlight the company’s promise to protect customer information and make privacy and security policies simple to understand and easily accessible on the website.
- Communicate and market the website’s online privacy and security features in ways consumers can understand. Retailers have an opportunity to incorporate site features that promote confidence and trust, such as offering clear and easy ways to find help.
- Closely monitor and manage relationships with third parties to ensure the same, if not higher, security standards are in place to protect customer information. Security and privacy are not only about your company’s site but also that of outsourcers and partners that may handle sensitive information.
- Develop an action plan to immediately update customers, legal authorities and the hosting provider of the offending site when a scam has been detected. Taking the appropriate steps to address the problem limits a company’s exposure window.
- Use automated solutions to monitor for application vulnerabilities and achieve compliance with a range of laws, best practices and security and privacy policies. These also include the identification of privacy and Web application security issues and cross-site scripting vulnerabilities that can lead to breaches. Preventing or detecting glitches early gives companies more lead-time to execute a response plan and encourages a trusted online environment for customers.
While Web teams are busy optimizing websites to support online transactions, do not neglect the important step of securing the site, the applications and the data they collect. Not only will this fulfill the latest PCI mandate, but it will improve an organization’s security overall and ensure that there is a framework in place to manage future threats. It takes only a single breach to ruin a reputation.