Payment Standard for Web Apps Goes Live

A new payment card industry (PCI) standard for Web application firewalls and source code went into effect July 1. PCI Industry Data Security standard 6.6 gives merchants a framework to ensure that the point-of-sale information uploaded into browser-based applications is sound from "top to bottom," the organization's literature said.

The standard can be used to help thwart common threats to cardholder data. It provides two options for retailers.

Option one includes periodic manual reviews of application source code to ensure the code is not tampered with in conjunction with an application.

The second option calls for cutting off hackers at the network level. It entails implementing what the PCI calls a "security policy enforcement point positioned between a web application and the client end point" while using a firewall. Tests of the firewall's functionality -- whether implemented through software or hardware -- need to be documented for compliance purposes. The standard recommends inspecting the "contents of the application layer of an IP packet, as well as the contents of any other layer that could be used to attack a web application."

But there is still no word on what the penalties for noncompliance to this new rule should be, which is up to the payment card companies to enforce.

"As for enforcement of the new requirement, that is up to the card payment brands as the Council is not responsible for compliance and/or enforcement," explained PCI Council spokesman Glenn Boyet in an e-mail.

"It's the classic Texas two-step," said National Retail Federation Chief Information Officer Dave Hogan. "Merchants are frustrated. I mean you go to the credit card companies for clarification of the rules and they say go to the council. You go to the council and they say that's up to the credit card companies."

The ambiguity puts retailers in limbo. Typically, they are afraid to speak ill of PCI standards for fear of reprisals from credit card giants such as Visa and Mastercard, according to the National Retail Association.

Hogan, a vocal critic of all of the current standards, would like to see retailers fully absolved of the responsibility of storing cardholder data on their systems, arguing that if retailers don't store it, hackers can't steal it.

To illustrate just how much the standards aren't working, Hogan pointed to the recent mass hack of grocery chain Hannaford Bros. in March.

"You look at Hannaford [hack] and they were compliant, so what does all this really mean," Hogan said. "There seems to be a clear inconsistency in the rules."

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.

Featured

  • floating screens representing a variety of STEM education video resources

    George Fox University Expands STEM Learning Resources for Students Through Numerade Partnership

    In an effort to boost student success in STEM subjects, Oregon's George Fox University has partnered with STEM learning platform Numerade to offer students free access to the company's video tutoring platform.

  • AI-inspired background pattern with geometric shapes and fine lines in muted blue and gray on a dark background

    IBM Releases Granite 3.0 Family of Advanced AI Models

    IBM has introduced its most advanced family of AI models to date, Granite 3.0, at its annual TechXchange event. The new models were developed to provide a combination of performance, flexibility, and autonomy that outperforms or matches similarly sized models from leading providers on a range of benchmarks.

  • translucent lock composed of interconnected nodes and circuits at the center

    Cloud Security Alliance: Best Practices for Securing AI Systems

    The Cloud Security Alliance (CSA), a not-for-profit organization whose mission statement is defining and raising awareness of best practices to help ensure a secure cloud computing environment, has released a new report offering guidance on securing systems that leverage large language models (LLMs) to address business challenges.

  • digital bookshelf displayed on a computer screen

    OverDrive, Ex Libris Integration Streamlines Discovery of Digital Content

    OverDrive, a provider of digital resources for schools and libraries, has announced an integration with library management provider Ex Libris that will allow academic institutions to discover the former's e-books and audiobooks within the Alma and Primo library services platforms.