A recent update to Payment Card Industry (PCI) standards makes it mandatory for any organisation handling online credit card transactions to install a web application firewall, or have customer application codes reviewed for common vulnerabilities.

The introduction of PCI Data Security Standard (DSS) requirement 6.6, along with banks’ increasingly tough stance on merchants that fail to comply, is expected to prompt a stampede for PCI compliance among UK firms.

Security reseller MIS is in no doubt of the market’s potential, having just become the first UK Juniper, Check Point, RSA or Nokia partner to attain PCI Qualified Security Assessor status (CRN Online, 2 July).

MIS director Etienne Greeff said: “Because PCI DSS has been delayed so much and UK firms are so far behind, there is a massive backlog of firms that need help to achieve compliance. PCI compliance is one of our top two business topics for 2008.”

PCI DSS calls for merchants to invest in a whole range of security technology besides web application firewalls, including encryption, authentication and anti-virus software. Most industry observers believe financial penalties for those that fail to comply with the checklist will not come into force until the tail end of 2009.

However, Greeff indicated that those who do not fall in line could find themselves in hot water a lot sooner. “It is true there are no financial penalties, but it is incorrect to say there is no impetus for merchants to comply. Banks are now going to merchants and imposing penalties if there is a breach.

“They are doing it with tier-one retailers first and once they have reduced the risk there they will go to the next level down.”
Ian Kilpatrick, chairman of security distributor Wick Hill, said that every security reseller should be pushing PCI DSS to their customers as best practice.

“PCI DSS is a route to best practice rather than just a destination in itself, so the channel should be taking users down this route,” he said. “Firms should be using PCI DSS irrespective of whether it is for credit card data or for key customer records as it is a real-world standard.

“I still see a number of resellers that are shy of PCI, but the checklist is not rocket science and is well within the capabilities of any security reseller,” added Kilpatrick.

Niche VARs working in areas such as authentication could use PCI to extend their reach into adjacent areas such as data protection. “They should be telling their customers: ‘PCI is going to bite, and since you have bought this component of it, what are you doing around the other components?’,” said Kilpatrick.
However, not everyone shares this enthusiasm and the standard has received its fair share of criticism, either for being too prescriptive, or ineffectual.

Database security vendor Secerno stands firmly in the ineffectual camp, arguing that requirement 6.6 and the overall PCI standard remain “ineffective for security”.

“PCI historically was written for e-commerce rather than general retailers where breaches have actually been taking place. It is generally inadequate for addressing the sort of internal threat that can be exploited easily, such as by general or privileged users,” said Secerno in a hastily issued statement following the introduction of section 6.6.
It continued: “The standard says nothing about any malware other than viruses, it says nothing about encrypting internal data, it says nothing about protecting data on private networks and it says nothing about securing the database. Unfortunately, the internal threat is PCI’s blind spot.”

And not all resellers are completely convinced that PCI will be a major driver of security spend over the next 18 months.
Jonathan Lassman, managing director of Check Point reseller Network Technology Solutions (NTS), claimed the absence of financial penalties for non-compliance has left a lack of firms to pitch to.

According to Lassman, UK organisations fall into two camps: those such as most tier-one retailers that are already compliant, and those that will sit on their hands until they see firms around them being fined.
“Until they see someone getting fined they will think they do not need to bother,” he said.
However, Lassman is one of a small number of sceptics in the channel. Data security vendor Protegrity is in the process of expanding its EMEA operations in anticipation of a boom in PCI compliance projects.

Ian Schenkel, EMEA vice president at Protegrity, concluded: “PCI compliance is definitely going to take hold. We have seen greater uptake in the US than in Europe, but organisations are now having to look at it in a serious manner because the credit card firms are becoming strict in enforcing it.”