Web Application Firewall For PCI Compliance

When it comes to electronic payments, web-based threats, attacks and crimes are escalating. To combat this, the Payment Card Industry has created the Data Security Standard (PCI DSS) for all companies that process or store credit card data. These standards enhance payment account security and protect cardholder data.

Companies that are not PCI compliant, even those that process very few transactions have a lot to lose, and those costs continue to rise. In addition to fines, they can be prohibited from accepting credit cards and suffer major loss.

The average total cost of a data breach was $6.75 million in 2009, according to the Ponemon Institute’s annual study. They found that incidents affected businesses of all sizes. The most expensive that was reported cost nearly $31 million to resolve, and the least expensive cost $750,000.

In one recent example, within one week, Network Solutions was hit with two major malicious code and malware attacks. As one customer wrote: “We have spent at least a hundred hours over the past few weeks trying to repair our site …only to have it halfway working again. Now, before it’s even 100% restored, you let them back in? Who’s going to compensate me for the near complete loss of traffic and ad revenue from this problem?”

When you are working towards compliance, you have a couple of options regarding your Web applications:

1. Code review

This often entails various procedures. Applications should be reviewed by an organization specializing in security. If you opt for this method, your internal IT team must prepare the code for review, and be available for queries and support. Once vulnerabilities are identified they should be corrected, and when that is completed the application is tested and re-evaluated. Then fix and test cycles are scheduled on an ongoing basis.

Code review doesn’t always find all vulnerabilities, such as those unknown to the reviewer at that time. And the application must be re-tested frequently, including with each code change. This is often extremely costly because of the tools, training, consultants and employees required, as well as production outages, manual validation and elimination of false findings, data ownership issues and more. When third party software is used, you don’t own the code and can’t fix it without breaking the licensing agreement. You can tell the vendor about it and hope they resolve it.

2. Web application firewall

A more consistent, less costly and more reliable method is the use of an application layer firewall. Unlike code review, it:

  • Provides an ongoing compliance solution that protects your website and Web service, even as updates and changes in code are made
  • Protects against vulnerabilities instead of simply identifying them
  • Requires no development effort
  • Is suitable for third party applications and components
  • Causes little to no interference with business processes
  • Proves and documents corrected vulnerabilities
  • Has minimal impact on website response times
  • Performs a deep packet inspection of incoming traffic, creating a security layer in front of all Web applications

The intended outcome of PCI DSS 6.6 is a web application vulnerability lifecycle that eliminates risk. With a web application firewall, not only is comprehensive compliance achievable, so is exceptional value to application owners and users.

Learn more about Edge Web Hosting’s 5 Tier security at /security/

Go back