Click here to receive your FREE subscription to Campus Technology
Online Security
Payment Standard for Web Apps Goes Live
7/3/2008
A new payment card industry (PCI) standard for Web application firewalls and source code went into effect July 1. PCI Industry Data Security standard 6.6 gives merchants a framework to ensure that the point-of-sale information uploaded into browser-based applications is sound from "top to bottom," the organization's literature said.
The standard can be used to help thwart common threats to cardholder data. It provides two options for retailers.
Option one includes periodic manual reviews of application source code to ensure the code is not tampered with in conjunction with an application.
The second option calls for cutting off hackers at the network level. It entails implementing what the PCI calls a "security policy enforcement point positioned between a web application and the client end point" while using a firewall. Tests of the firewall's functionality -- whether implemented through software or hardware -- need to be documented for compliance purposes. The standard recommends inspecting the "contents of the application layer of an IP packet, as well as the contents of any other layer that could be used to attack a web application."
But there is still no word on what the penalties for noncompliance to this new rule should be, which is up to the payment card companies to enforce.
"As for enforcement of the new requirement, that is up to the card payment brands as the Council is not responsible for compliance and/or enforcement," explained PCI Council spokesman Glenn Boyet in an e-mail.
"It's the classic Texas two-step," said National Retail Federation Chief Information Officer Dave Hogan. "Merchants are frustrated. I mean you go to the credit card companies for clarification of the rules and they say go to the council. You go to the council and they say that's up to the credit card companies."
The ambiguity puts retailers in limbo. Typically, they are afraid to speak ill of PCI standards for fear of reprisals from credit card giants such as Visa and Mastercard, according to the National Retail Association.
Hogan, a vocal critic of all of the current standards, would like to see retailers fully absolved of the responsibility of storing cardholder data on their systems, arguing that if retailers don't store it, hackers can't steal it.
To illustrate just how much the standards aren't working, Hogan pointed to the recent mass hack of grocery chain Hannaford Bros. in March.
"You look at Hannaford [hack] and they were compliant, so what does all this really mean," Hogan said. "There seems to be a clear inconsistency in the rules."
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. You can contact Jabulani at editor@entmag.com.
Cite this Site
copy text (above) for proper citation
Recommended Reading
- Fixed-Mobile Convergence: Dartmouth Beefs Up Cell Coverage, Cuts Costs
Problems with cell phone coverage aren't uncommon on college campuses. There are two main reasons: The beefy structure of historic buildings can block cellular reception within walls, and, on more remote campuses outside cities, signal coverage can be light.
- Thompson Rivers U Deploys Unified Digital Campus for ERP
Thompson Rivers University (TRU) in British Columbia has selected SunGard Higher Education's Banner Unified Digital Campus (UDC) to integrate its ERP systems.
- DV Kitchen Web Video Publishing System Released
DVcreators.net has released DV Kitchen, a new video encoding and publishing application for Mac OS X designed specifically for creating materials to be posted on the Web.
- NEC Debuts 4 Education Projectors
NEC this week debuted four new projectors targeted toward education applications, along with a new MultiSync LCD display. The new NP-series projectors are entry-level models started at $899 but are designed to provide high light output, support for closed captioning, and built-in networking capabilities.
- Security Researchers Uncover Spring Framework Vulnerability
Software frameworks are enjoying enormous popularity these days among a range of developers. It's popularity well earned; frameworks provide powerful tools for building more flexible and less error-prone applications. They generally enhance developer productivity with out-of-the-box functionality. And they can free developers to focus on features instead of common coding tasks.
- 3PAR Server Arrays Integrate Fat-to-Thin Processing
Utility storage provider 3PAR has announced the release of the 3PAR InServ T400 and T800 Storage Servers. The new hardware is built on the company's third-generation InSpire architecture, featuring the 3PAR Gen3 ASIC with integrated fat-to-thin processing.
