Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec

PCI compliance deadline draws nearer

Dns : 14 May, 2008  (Technical Article)
DNS predicts that majority of retailers will not achieve PCI-DSS compliance before the deadline by the end of June
Latest comment from Gartner reveals that most of the analyst firm's clients will not be ready to meet the PCI-DSS Section 6.6 deadline of 30th June. After this date all merchants that accept payment card transactions will have to use either a specialised firewall to protect web applications or to have completed a web application software code review to ensure that any vulnerability is discovered and fixed.

Even though these measures have been encouraged as best practice over the past 18 months, Gartner's comments seem to point to the fact that many are still not in a position to adhere to this new regulation. Indeed, many appear to be still struggling with the exact actions they need to undertake, let alone to start putting them in place.

Information security consultancy dns ( believes that even retailers that have started the process are in many cases looking for a quick fix solution, focusing on installing web application firewalls, instead of undertaking the full code review. This obviously will bring them in line with current regulation, but still leaves them exposed not only to further, enhanced regulation, but also to attack, with flaws in application software still vulnerable.

With so many retailers struggling to meet the deadline in just over a month and half, what can they do to make sure that they do not fall foul of the regulation?

"With the deadline rapidly approaching retailers are going to be looking to bring in security policies quickly to ensure that they adhere to this regulation. But the PCI-DSS has been brought in for a reason, and unless companies fully understand the sensitive nature of the customer information they hold, the problems will continue and customer confidence will keep falling," said Lee Lawson lead penetration tester at dns.

Lawson continues. "We have come across companies who are unsure of what steps they should be taking and so have left it until the last minute. They should not be looking for a quick fix in this case - it does not help the company long term as increased regulation is inevitable, and certainly does not help the customer if there are still flaws in existing applications, leaving sensitive information exposed."

"If companies are unsure then they should perhaps look to bring in independent dedicated experts, to talk them through the process, advise on best practice and help to implement and monitor controls. Without this support, companies will continue to struggle after the 30th June with a detrimental effect on both security and customer confidence," Lawson concluded.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo