Payment Card Industry Mandate Stresses Importance of Web Application Security: Recommended Becomes Required
by Danny Allan - IBM Rational's Director of Security Research - Tuesday, 10 June 2008.
Meeting the PCI requirements for Web application security by employing code review and a Web application firewall is a great starting point, but to fully protect consumer data and implement a comprehensive online risk management strategy, organizations must also enforce policies that include ongoing compliance monitoring procedures.

Consider these recommendations:
  • Educate consumers about the dangers of online scams and alert them to threats such as phishing, key logging and pharming. The more knowledgeable customers are to online scams, the less fearful and vulnerable they will be.

  • Offer privacy and security guarantees to customers in the event of fraud or identity theft. Prominently highlight the companyís promise to protect customer information and make privacy and security policies simple to understand and easily accessible on the website.
  • Communicate and market the websiteís online privacy and security features in ways consumers can understand. Retailers have an opportunity to incorporate site features that promote confidence and trust, such as offering clear and easy ways to find help.
  • Closely monitor and manage relationships with third parties to ensure the same, if not higher, security standards are in place to protect customer information. Security and privacy are not only about your companyís site but also that of outsourcers and partners that may handle sensitive information.
  • Develop an action plan to immediately update customers, legal authorities and the hosting provider of the offending site when a scam has been detected. Taking the appropriate steps to address the problem limits a companyís exposure window.
  • Use automated solutions to monitor for application vulnerabilities and achieve compliance with a range of laws, best practices and security and privacy policies. These also include the identification of privacy and Web application security issues and cross-site scripting vulnerabilities that can lead to breaches. Preventing or detecting glitches early gives companies more lead-time to execute a response plan and encourages a trusted online environment for customers.
While Web teams are busy optimizing websites to support online transactions, do not neglect the important step of securing the site, the applications and the data they collect. Not only will this fulfill the latest PCI mandate, but it will improve an organizationís security overall and ensure that there is a framework in place to manage future threats. It takes only a single breach to ruin a reputation.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th