PCI deadline will not be met by most retailers

(15/05/2008)

According to Gartner, most of the analyst firm’s clients will not be ready to meet the PCI-DSS Section 6.6 deadline of 30th June. After this date all merchants that accept payment card transactions will have to use either a specialised firewall to protect web applications or to have completed a web application software code review to ensure that any vulnerability is discovered and fixed.

Even though these measures have been encouraged as best practice over the past 18 months, Gartner’s comments seem to point to the fact that many are still not in a position to adhere to this new regulation. Indeed, many appear to be still struggling with the exact actions they need to undertake, let alone to start putting them in place.

dns believes that even retailers that have started the process are in many cases looking for a quick fix solution, focusing on installing web application firewalls, instead of undertaking the full code review. This obviously will bring them in line with current regulation, but still leaves them exposed not only to further, enhanced regulation, but also to attack, with flaws in application software still vulnerable.

With so many retailers struggling to meet the deadline in just over a month and half, what can they do to make sure that they do not fall foul of the regulation?

“With the deadline rapidly approaching retailers are going to be looking to bring in security policies quickly to ensure that they adhere to this regulation. But the PCI-DSS has been brought in for a reason, and unless companies fully understand the sensitive nature of the customer information they hold, the problems will continue and customer confidence will keep falling,” said Lee Lawson lead penetration tester at dns.

Lawson continues. “We have come across companies who are unsure of what steps they should be taking and so have left it until the last minute. They should not be looking for a quick fix in this case – it does not help the company long term as increased regulation is inevitable, and certainly does not help the customer if there are still flaws in existing applications, leaving sensitive information exposed.”

“If companies are unsure then they should perhaps look to bring in independent dedicated experts, to talk them through the process, advise on best practice and help to implement and monitor controls. Without this support, companies will continue to struggle after the 30th June with a detrimental effect on both security and customer confidence,” Lawson concluded.

Related topics:  Data management and data security   Firewall   Hacking and intrusion prevention   Security management and policies 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources