Effective June 30, 2008, the PCI Security Standards Council (SSC) has mandated that merchants must comply with Requirement 6.6. You know the one. It's the final requirement listed in Requirement 6: Develop and Maintain Secure Systems and Applications. It says:
6.6 Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:
- Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
- Installing an application layer firewall in front of web-facing applications.
- Note: This method is considered a best practice until June 30, 2008, after which it becomes a requirement.
Changes in eCommerce
What does this mean for us in eCommerce? Well, it means that you have a decision to make about how to secure your web-facing applications. Do you perform a manual code review or install an application layer firewall? How about both? Both are considered best practices for eCommerce security at this point and the PCI DSS standard will only grow to become more stringent, more specific, and likely extend beyond minimal security standards. So you may as well start now. There are four options for application code review, as outlined by the PCI SSC:
- Manual review of application source code
- Proper use of automated source code analyzer (scanning) tools
- Manual web application security vulnerability assessments
- Proper use of automated web application security vulnerability assessment (scanning)
If you don't have control over your source, make sure you're working with software packages/vendors that meet the new requirements.
That's not all! I also received an email from McAfee, our Approved Scanning Vendor (ASV), letting us know that also effective June 30, 2008, the PCI SSC is requiring ASVs to change from version 1 to version 2 of the Common Vulnerability Scoring System (CVSS). What does the change mean for you? Well, it changes the way certain vulnerabilities are scored. Consequently, some low priority vulnerabilities from version 1 will now be scored as higher risk vulnerabilities and could cause a failing PCI network scan score, resulting in non-compliance until you can fix the issue. They pointed out that the top 5 vulnerabilities, statistically, are as follows:
- SSL Protocol Version 2 Detection -- Don't use SSLv2.
- Weak Supported SSL Ciphers Suites -- Don't use ciphers < 128bit encryption.
- Default Microsoft IIS Files and/or Frontpage Extensions Found -- Don't.
- OpenSSL Multiple Vulnerabilities < 0.9.8d -- Don't use OpenSSL below 0.9.8d; it's got a number of serious vulnerabilities.
- OpenSSL PKCS Padding RSA Signature Forgery Vulnerability -- Could allow an attacker to forge and RSA signature and pose as a trusted party.
You should work directly with your ASV if a vulnerability risk is uncovered.
PCI Keeps us on our Toes
Don't get comfortable once you've knocked these new requirements out. By October 2008, the PCI SSC will have released/required version 1.2 of the PCI DSS. The same 12 core requirements will apply. Supposedly, however, the newer version will "enhance the clarity of its technical requirements, offer improved flexibility..." (Thank God).
One last note: The PCI SSC website is www.pcisecuritystandards.org. Does anyone else think it's funny that when you visit http://pcisecuritystandards.org/ (sans "www"), that you get a security error? It's such an easy fix...