At the end of December 2014 the new set of Payment Card Industry Data Security Standards (PCI DSS) will come largely into force, with just a few small elements having the later deadline of July 2015 to allow businesses time to adapt.
If your company or organisation processes card transactions, either directly or through a third party provider then you should already be aware of the standards, in which case this is simply a matter of reviewing and updating your processes where necessary. If you’re new to PCI compliance then we suggest you read our PCI Compliance white paper.
The themes of the changes are categorised as:
- Education and awareness
- Increased flexibility
- Security as a shared responsibility.
Requirements 1, 2, 5, 6, 8, 9, 11 and 12 are the ones which have been subject to change and therefore the ones which those subject to PCI compliance must give the most attention to.
One of the most serious threats to data security is cyber attacks to web-facing servers, and this is an element of the requirements which is regularly updated to identify the most common methods of attack.
Requirement 6 which deals with web application security, outlines the most common vulnerabilities and impresses the importance of regular security checks, such as using a vulnerability scanner. The most salient element is 6.6 as follows:
‘For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
- Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
- Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic.’
While the document states ‘either of the following methods’, industry best practice would in fact be to employ both methods, regular security assessment tools such as the use of a vulnerability scanner and the installation of a web application firewall. This would be the set up which would give greatest protection against cyber attacks, which are the most common method of data theft.
A good web application vulnerability scanner such as Acunetix is regularly updated to detect newly discovered vulnerabilities (for example Shellshock, where an Acunetix update was available within 24 hours). You can also set the scanner to run regular automatic checks, ensuring your web application continues to be free of vulnerabilities at all times, rather than simply identifying them on an annual basis, which would be deemed insufficient by many security professionals considering the frequency of new threats being discovered.
Read more about PCI Compliance in our white paper.
PCI v3.0 full document https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf