Fear and loathing will dominate when Best Practice 6.6 of the PCI Data Security Standard becomes a requirement June 30.
The regulation requires that merchants dealing with debit and credit cards tighten up their security by both conducting application code reviews and installing Web application firewalls.
It was put forth by the PCI Security Standards Council, which issues, maintains and enforces the PCI security standards that govern payment account data security to which all corporations that deal with payment cards must adhere.
However, while stating that "proper implementation of both options would provide the best multi-layered defense", the Council says, in essence, that some merchants won't be able to implement both. The solution: select the best option for their needs. This is leading to compliance problems.
"We're addressing the problem in two ways," said Bob Russo, general manager of the PCI Security Standards Council. "If you have custom application code, it needs to be reviewed for common vulnerabilities, either by yourself or by a company that does application code reviews by a standard like OWASP. The Open Web Application Security Project, OWASP, is a worldwide free and open community focused on improving the security of application software whose materials are available under an open source license.
For off-the-shelf software, "installing an application layer firewall in front of a Web facing app will work as well," Russo explained. "You need security in the application itself if you can do it but that's not necessarily the way you need to look at this; either way will suffice."
In essence, it's going to have to be a business decision. And which option merchants choose depends on how much money they have.
"Bigger merchants have more budget and can afford to do both; but when you get into Level 4 merchants, which Visa describes as "any merchant processing fewer than 20,000 Visa e-commerce transactions per year," margins tend to be thin. (By contrast, Level-1 merchants have more than 6 million transactions a year.) Level 4 merchants "don't have lots of staff," said Ryan Barnett, director of application security at Breach Security and an instructor at the training-focused SANS Institute. "They're forced to choose between the two options."
Money Talks with PCI Compliance
Experts see cost driving merchants to the Web firewall option.
"If someone was to buy one of our moderate-sized Web applications it would cost them $7,500," said Jim Libersky, vice president of sales and marketing at The Barrier Group. The firm offers an Intelligent Threat Management appliance that includes a Web application firewall, anti-spam, anti-virus, Web content filtering and more than 20 other technologies. "How many lines of code would it take to chew up that amount of money?"
Most companies would select the Web firewall application "because it's cheaper and faster than code review, and they ignore the fact that it doesn't protect them against the majority of security vulnerabilities, especially the most dangerous ones, which are in the application layer," said Ed Adams, president and CEO of Security Innovation, which conducts code reviews for clients.
The result: "I guarantee you'll see more TJX's, and that will continue until CIOs get it," Adams said. The TJX refers to the department store chain that lost hundreds of millions of dollars in legal fees, a reimbursement and other payments after hackers stole about 47.5 million records over a period of 18 months between 2005 and 2006.
Code Review vs. Firewalls
You can't really compare the protection offered by a Web application firewall to that from having a code review; each has its merits.
"Web application firewalls don't protect you against what happened to TJX," growled Adams. "People forget that PCI compliance doesn't equate to security, and 99 percent of organizations will only do the bare minimum that's required to pass the audit because that's all they're held accountable to."