You are in the: Small Business Computing Channelarrow
Small Business Technology
» ECommerce-Guide | Small Business Computing | Webopedia | WinPlanet

ECommerce-Guide provides ecommerce business owners with e-commerce news, hardware and software reviews and tutorials, online business solutions and information about PayPal and how to sell on eBay.   News, reviews and practical solutions for your online business  
Home News & Trends Solutions Resources eBiz FAQ Selling on eBay Forums Videos Products Glossary About


Search
ECommerce-Guide

ECommerce Glossary
Enter a Term:

Free Newsletters
Small Business Tech Daily
Webopedia

You are in: ECommerce-Guide

ECommerce-Guide Essentials
eBiz FAQ
Everything you need to know to start your own successful e-business.

Selling on eBay
How to make money in the online marketplace.

PayPal Payments and More
What's new in secure payments for your online store.

Shopping Cart Software
Solutions to close, process and track your online sales.

Related Articles
Amazon Takes Issue with NY Online Tax Law
Five PayPal Tools for Web Shops
Show Me the Money: Setting Up Payment Methods
McAfee Shows Shoppers your Site's Safe and Secure
The Tangled Web of PCI Compliance, Are You Ready?
By Richard Adhikari

May 9, 2008


Fear and loathing will dominate when Best Practice 6.6 of the PCI Data Security Standard becomes a requirement June 30.

The regulation requires that merchants dealing with debit and credit cards tighten up their security by both conducting application code reviews and installing Web application firewalls.

It was put forth by the PCI Security Standards Council, which issues, maintains and enforces the PCI security standards that govern payment account data security to which all corporations that deal with payment cards must adhere.

However, while stating that "proper implementation of both options would provide the best multi-layered defense", the Council says, in essence, that some merchants won't be able to implement both. The solution: select the best option for their needs. This is leading to compliance problems.

"We're addressing the problem in two ways," said Bob Russo, general manager of the PCI Security Standards Council. "If you have custom application code, it needs to be reviewed for common vulnerabilities, either by yourself or by a company that does application code reviews by a standard like OWASP. The Open Web Application Security Project, OWASP, is a worldwide free and open community focused on improving the security of application software whose materials are available under an open source license.

For off-the-shelf software, "installing an application layer firewall in front of a Web facing app will work as well," Russo explained. "You need security in the application itself if you can do it but that's not necessarily the way you need to look at this; either way will suffice."

In essence, it's going to have to be a business decision. And which option merchants choose depends on how much money they have.

"Bigger merchants have more budget and can afford to do both; but when you get into Level 4 merchants, which Visa describes as "any merchant processing fewer than 20,000 Visa e-commerce transactions per year," margins tend to be thin. (By contrast, Level-1 merchants have more than 6 million transactions a year.) Level 4 merchants "don't have lots of staff," said Ryan Barnett, director of application security at Breach Security and an instructor at the training-focused SANS Institute. "They're forced to choose between the two options."

(Continue to Page 2 for How Costs Affect Compliance)

Go to page: 1  2  Next  

Tools:
Add ecommerce-guide.com to your favorites
Add ecommerce-guide.com to your browser search box
IE 7 | Firefox 2.0 | Firefox 1.5.x
Receive news via our XML/RSS feed