PCI payment standards come into play

PCI Section 6.6 should not be treated as an approval system for e-commerce security

Companies have been warned to be aware of Section 6.6 of the Payment Card Industry (PCI) standard that comes into force at the end of June.

The new section mandates the use of web application code reviews or the installation of an application level firewall for any business dealing with online transactions.

However, security experts also advise that the new requirements of the standard should not be treated as a 'rubber stamp' approval system for e-commerce security, and should be included in a company's overall IT security plans.

David Hobson, managing director at specialist security reseller and systems integrator Global Secure Systems (GSS), said that information security had to be approached holistically.

"Understanding what organisational assets require protection, what risks (i.e. the consequence of loss) relate to those assets and what the correct risk treatment decisions are is critical in defining a security strategy," he said.

"On top of this, if organisations are going to slavishly follow standards like PCI in 'tick-box' fashion, they may achieve compliance, but they are almost certainly not going to be fully secure against fraud."

GSS believes that that organisations need to identify what they are trying to achieve, and how they are trying to achieve it, before any further steps are taken.

"If organisations are unable to answer these two simple questions they run the risk of spending large amounts of money meeting the PCI s6.6 standards requirements for very little improvement in their actual IT security posture," said Hobson.

"No amount of point solutions (firewalls, database security tools, code reviews) are going to deliver 'security' unless your organisation understands its control objectives and gets its executives to buy into the process of meeting those objectives.

"Only then should the company consider what the relevant controls should be. "