Web applications have become a "soft spot" for cybercriminals intent on stealing credit card information. To combat the proliferation of online fraud, the Payment Card Industry (PCI) Security Standards Council (SSC) was formed to make sure that merchants who accept credit cards meet minimum security levels in how they accept, process, and transmit credit card information.
These minimum standards came to be known as the PCI Data Security Standards (DSS).
When it comes to Ecommerce, merchants make use of web applications to handle credit cards. Protecting these web applications to comply with PCI compliance requirements may present technical and business challenges, depending on the existing network architecture and chosen solution. In many cases, the path to PCI compliance can entail expensive consulting engagements and massive infrastructure overhauls.
The Payment Card Industry Data Security Standard (PCI DSS) was developed by payment brands including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa. International. It defines a set of 12 requirements for enhancing payment account data security to include the policies, tools, and controls needed to protect cardholder data.
Compliance with the PCI DSS is not optional, nor are small companies exempt. Any company that processes or stores credit card data is required to comply with these requirements. Even a small business who process only one credit card sale a year must implement set of security mandates in order to ensure the safety of cardholder information such as account data, credit card numbers, customer names, and contact information to protect the cardholder from being exposed to unauthorized users.
The infamous TJX security breach disclosed in 2007 is a good example of what can happen to companies that do not have the proper security measures in place. This breach resulted in 94 million accounts being compromised with losses exceeding $70 million due to fraud.
According to court documents, the consultant retained by TJX to investigate the breach found that the company had failed to comply with nine of the twelve security measures mandated by the Payment Card Industry (PCI) Data Security Standard (DSS).
"There were ... many deficiencies and PCI DSS violations which the attacker was able to exploit in order to compromise data from the TJX network," the unnamed consultant stated. (source: Security Focus)
The monetary loss due to fraud was not the only cost of this security breach. A lawsuit was filed against TJX by over 300 banks and trust in the brand had taken a substantial downturn among customers.
PCI DSS affects merchants that handle credit card information from cards issued by any of the founder brands. It is most relevant to online merchants that process and store payment account data online.
For the majority of organizations, the standards set forth by Visa's CISP and MasterCard's SDP programs cover the qualifications for assigning both a merchant level and compliance level, along with incorporating PCI DSS.
The merchant level is based on transaction volume for the organization. The validation compliance level is based on the merchant level. It includes the validation actions and who needs to carry out these actions in order to be PCI DSS compliant.
Since web applications account for such a high percentage of vulnerabilities, the PCI DSS specifically addresses them in Requirement 6.6. This states that organizations are to ensure the highest level of application security.
“Forensic analyses of cardholder data compromises have shown that web applications are frequently the initial point of attack upon cardholder data, through SQL injection in particular.
The intent of Requirement 6.6 is to ensure web applications exposed to the public Internet are protected against the most common types of malicious input.”
There are two methods that a company can take in order to be in compliance with PCI DSS 6.6: yearly code reviews or a web application firewall.
The first alternative may provide a high level of security, but can end up being an extremely costly solution. Organizations typically use several applications and add new ones all the time. The total cost of code reviews is comprised of the review itself, and the effort needed to fix the vulnerabilities it identifies. The IT team will need to prepare the code for review, and be available for queries and support to the reviewers. After the consultants submit a vulnerabilities report, your organization will need to schedule fix and test cycles to make sure the changes work as expected.
This “find, fix, and test” cycle does not always find all of the vulnerabilities in an application, resulting in more cycles. What’s more, Quality Assurance will need to verify that security fixes does not interfere with business processes. Therefore, any organization choosing this alternative should allocate the following resources yearly:
More importantly, a code review finds vulnerabilities that are known to the reviewer at the time of the review. Zero-day vulnerabilities that have yet to be discovered are likely to be missed unless the code reviewer is highly proactive and goes well beyond their required duties.
Thus, the second alternative — deploying a web application firewall — becomes a more attractive solution as it provides a one-time compliance solution.
Web application firewalls focus on protecting against, rather than identifying, vulnerabilities. They perform a deep packet inspection of incoming traffic to detect threats, thereby creating a security layer in front of the application itself.
This approach offers the following advantages:
dotDefender enables companies to address challenging PCI requirements in a straightforward and cost-effective manner by utilizing a Security as a Service solution. dotDefender not only meets the application layer firewall requirement of PCI DSS 6.6, but also offers comprehensive protection against SQL injection, cross-site scripting and scores of other application-level attacks right out of the box.
dotDefender creates a security layer in front of the application to detect and protect against application-level attacks in incoming web traffic that could be used to compromise the server and steal credit card and other corporate data.