PCI v1.1 Deadline Approaching
On June 30 2008, the new revisions to the PCI DCC v1.1 will become mandatory. The main item that may be of concern is in 6.6.
Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:
- Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
- Installing an application layer firewall in front of web-facing applications.
In the current listing of the specifications it is advised that these methods are considered best practices, but after June 30, 2008 they become mandatory.
A lot of questions and concern have been brought up about this. Is every company going to have to have a line by line code review by an outside source? This has been addressed by the PCI council.
The application code review option does not necessarily require a manual review of source code.
Keeping in mind that the objective of Requirement 6.6 is to prevent exploitation of common vulnerabilities (such as those listed in Requirement 6.5), several possible solutions may be considered.
They are dynamic and pro-active, requiring the specific initiation of a manual or automated process. Properly implemented, one or more of these four alternatives could meet the intent of Option 1 and provide the minimum level of protection against common web application threats:
1. Manual review of application source code
2. Proper use of automated application source code analyzer (scanning) tools
3. Manual web application security vulnerability assessment
4. Proper use of automated web application security vulnerability assessment (scanning) tools
I think having your development team properly trained in the areas of secure development should also be a good measure. So if you fall under the requirements of the PCI, don’t forget to keep up with your standards.