|
Web Application Security and the
PCI DSS (Payment Card Industry Data Security Standard)
Every
company that takes a credit or debit card in payment for its
products or services is required to adhere to the Payment Card
Industry Data Security Standard (PCI DSS). The Standard is intended
to protect account information over the entire payment lifecycle.
All five of the global payment card brands, American Express,
Discover, JCB, MasterCard and Visa endorse the PCI DSS and have
authority to enforce it.
There are 12 regulations grouped
into six control objectives:
1. Build & Maintain a Secure
Network
Install and maintain a firewall configuration
Do
not use vendor-supplied defaults for passwords
2. Protect Cardholder Data
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
3. Maintain a Vulnerability
Management Program
Use
and regularly update anti-virus Software Management Systems, Inc.
Develop and maintain secure systems and applications
4. Implement Strong Access
Control Measures
Restrict access to cardholder data
Assign a unique ID to each person
Restrict physical access to cardholder data
5. Regularly Monitor & Test
Networks
Track and monitor all access to network resources and cardholder
data
6. Maintain an Information
Security Policy
Maintain a policy that addresses information security
Late last year (November 2007), The PCI Security Standards Council
issued a new standard for payment application software.
Effective June 30, 2008,
security is to be applied at the application level. That
includes web applications and payment applications.
Typically, businesses subscribe to the HP model for layered
security. The four layers are: physical security (asset
protection), data security (authentication and authorization),
application security (antivirus and application firewalls), network
security (network firewalls, virtual private network, web/content
filtering, intrusion detection & prevention).
Until now, most companies have relied on perimeter security – that
is network firewalls. Beginning in June 2008, security at the
application level is required. Using web application firewall
software re-enforces security measures, is convenient and cost
effective.
When considering web application
security, the following issues should be taken into account:
A. Security
Is
the security updated for each version, with rules released against
new threats?
Is
the granularity per site and URI?
Does the software identify a wide variety of scanners and bots?
B. Encryption
What is the impact on performance of the encryption?
Do
the SSL keys and Certificates reside on the web server and securely
stores the keys?
C. Maintenance
Is
initial configuration automatic?
Can
configuration fine-tuning be accomplished in a few hours (as opposed
to days)?
What is the rate of false-positives?
Can
the product automatically identify and protect new applications?
Is
the product application independent?
What degree of expertise is required?
Can
the product be installed and maintained with basic system
administration skills?
Is
the User Interface simple to understand and navigate?
D. Deployment
What is the affect on the network or traffic?
What are the redundancy requirements?
Armed with the answers to these
questions, you can compare the software tools available.
|
