Today is June 30. Are your web-facing applications protected against attacks? Another compliance deadline for the Payment Card Industry Data Security Standard (PCI DSS) is here. As of today, Requirement 6.6 of the PCI DSS mandates that all merchants accepting payment card transactions install a specialized firewall for protecting their web-facing applications, or complete a Web application software code review, manual or automated, which determines and fixes any Web application vulnerabilities in a Software Development Life Cycle (SDLC). The intent of the requirement is to ensure web- or browser-based applications that interface with the public Internet are protected against the most likely malicious attacks, which are listed and described in Requirement 6.5.

Prior to June 30, this new requirement was considered a best practice. Now, it is the sixth of 12 requirements for compliance. The PCI DSS organizes the 12 requirements in six logically related control objectives, including maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, monitoring and testing networks, and maintaining an information security policy. Requirement 6.6 is part of maintaining a vulnerability management program control objective.

Since 2004, when PCI DSS compliance was implemented, merchant banks and card brands have enforced compliance by issuing fines for missed deadlines. Even though the number of merchants fined has steadily increased in the past two years, the rate of compliance has remained slow, mainly because of complexities.

According to a recent report from Visa USA, approximately 77 percent of the largest merchants and nearly two-thirds of medium-sized merchants are compliant with current regulations for the PCI DSS. This is up from the first quarter of 2008, when Visa reported that only 65 percent of the largest merchants were compliant with current regulations.

Compliance with Requirement 6.6 of the PCI DSS is another very important step in securing customer data. However, it is anticipated that many merchants may slip past this deadline, just as they have past deadlines, because of inaccurate testing, complexity in the overall PCI DSS compliance process, and the lack of fines issued to non-compliant merchants by merchant banks and card brands.