Resources for Federal Financial Institutions Examination Council (FFIEC)

PCI Compliance and Web Application Security: What You Need to Know for the Upcoming Policy Changes

www.americanchronicle.com

If you are a merchant that processes credit cards, then you are probably already well aware of PCI compliance, but you may not be sure how web application security fits into the picture. You may also have heard that starting in June 2008, section 6.6 of the rules for PCI compliance will go from a "best practice" to a mandatory requirement (if not, it's time to pay attention!), but you might not know what this means for your business. The fact is, in a perfect world you already have in place what is necessary to be compliant with not only section 6.6, but PCI rules as a whole. This is because ideally, you would have handled your web application security practices from the start, as the applications are built, so that you are not scrambling to add security to existing applications. Unfortunately, this is often not the case - which makes now a great time for businesses to reevaluate their web application security processes overall.

What PCI Compliance Means

A bit of background regarding PCI compliance - as credit card use has become more widespread both offline and online, and as consumer concern about security has understandably grown, the credit card industries have made an effort to ensure that sensitive information is protected. To that end, in September 2006, the major credit card companies (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) formed the PCI Security Standards Council (SSC) and established a set of rules for what they called PCI compliance. These rules have to be followed depending on the size of a business and the number of credit card transactions handled, and if done properly will help protect consumers' data from theft.

View the Resource

Share or bookmarklet this web page at: