Web Applications have become a "soft spot" for cybercriminals trying to steal credit card information. To combat the proliferation of online fraud, the Payment Card Industry (PCI) took steps to protect cardholder data by addressing the scourge of Web Application attacks in its Data Security Standard (DSS).

The PCI DSS stipulates that any company that accepts credit, debit, or bank cards must take special steps to secure its web applications. PCI DSS Section 6.6 requires that companies either install an application layer firewall in front of Web Applications; or have all custom application code viewed for vulnerabilities by an organization that specializes in application security.  The recommendation is to take both actions, as non-compliance may result in security breaches, lost customers, potential lawsuits, and large fines.

PCI Security Standards Council

The Payment Card Industry Security Standard (PCI DSS) is a set of 12 requirements for enhancing payment account data security. These requirements define the policies, tools, and controls needed to protect cardholder data. The PCI DSS was developed by payment brands including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International.

The PCI DSS obliges companies who process credit card data to comply with a comprehensive set of security mandates in order to ensure the safety of cardholder information such as account data, credit card numbers, customer names and contact information. The aim is to find a solution that will protect the cardholder from being exposed to unauthorized users.

More Security Industry Information

PCI DSS affects merchants that handle credit card information from cards issued by any of the founder brands. It is most relevant to online merchants that process and store payment account data online. For the majority of organizations, the standards set forth by Visa's CISP and MasterCard's SDP programs cover the qualifications for assigning both a merchant and compliance level, and incorporating PCI DSS.

The merchant level is based on transaction volume for the organization. The validation compliance level is based on the merchant level, and includes the validation actions and who needs to carry out the validation actions, in order to be PCI DSS compliant.

• Level One: Visa U.S.A. and MasterCard World Wide transactions totaling $6 million and up, per year, and any merchants who experienced a data breach. Level one merchants are required to have an annual on-site compliance assessment performed by a certified third-party auditor. In addition they are required to have external network security scans performed quarterly by a certified third-party vendor (ASV).
   
• Level Two: Visa and MasterCard transactions totaling $1 million to $6 million per year. Level Two merchants are required to complete the PCI DSS Self Assessment Questionnaire annually, and carry out a quarterly network security scan with an approved ASV.
   
• Level Three: Visa and MasterCard e-commerce transactions totaling $20,000 to $1 million per year. Level Three merchants are required to complete the PCI DSS Self Assessment Questionnaire annually, and carry out a quarterly network security scan with an approved ASV.
   
• Level Four: Visa and MasterCard e-commerce transactions totaling up to $20,000 per year. Level Four merchants are required to complete the PCI DSS Self Assessment Questionnaire annually, and carry out a quarterly network security scan with an approved ASV.

More Security Industry Information