Few expected to make June 30 PCI deadline for Web application security

Computerworld - Retailers covered by the Payment Card Industry Data Security Standard (PCI-DSS) have just about a month and a half left to comply with new requirements for protecting Web applications. But as with previous PCI-related deadlines, this one appears destined to pass with a majority of merchants unlikely to be in full compliance.

After June 30, all merchants accepting payment card transactions will be expected to either use a specialized firewall for protecting their Web applications or to have completed a Web application software code review for finding and fixing vulnerabilities in these applications. Companies that fail to implement either measure will be deemed to be out of compliance with PCI starting June 30.

"Most of our clients are not going to be ready," by that deadline, said Avivah Litan, an analyst at Stamford, Conn.-based Gartner Inc. "We are amazed at how many companies are still only learning their way around the requirements" and what they call for, Litan said.

With the deadline fast approaching, though, Gartner has seen an uptick in the number of calls it is receiving from clients wanting to know more about the new controls and how to implement them, she added.

Section 6.6 of the new PCI requirements (download PDF) basically requires merchants to ensure that all Web-facing applications are protected against known attacks by applying either an application firewall or by completing an application code review -- either manually or by using application-scanning tools. The requirements have been recommended best practice for more than 18 months but are now becoming a formal mandate.

According to Litan, many of Gartner's clients are choosing to deploy Web application firewalls instead of going the code review route. "They are looking for quick fixes. Application firewalls are quick fixes" compared to finding and fixing flaws in application software, she said. However, such firewalls alone are not enough in the long run, she added: "Application firewalls are a reactive measure. You have a lot of vulnerable applications that still need to be fixed." As a result, companies that want to really secure their Web application environments will need to think beyond PCI compliance. Scanning for and fixing vulnerabilities in Web applications "should be given priority over the use of Web application firewalls, which should be used in addition to, not instead of," code reviews, she said.

Under 6.6, companies that choose to implement application firewalls need to ensure that the technology is deployed in full blocking mode, said Jeremiah Grossman, chief technology officer and founder of WhiteHat Security Inc. Doing that effectively requires merchants to invest a substantial amount of time tweaking their firewalls to ensure that only malicious content is blocked, while letting legitimate traffic in. There is a learning process involved in doing this that can take anywhere from three to six months -- which, he noted, many companies may not be aware of or budgeting for.