We at Retriever Payment Systems spend a lot of our time selling Credit Card Processing. The second focus point in our presentations is education. It is a scary world out there with FRAUD and compromised data a daily news item. There are mistakes that many organizations make related to web application security. First, many businesses and government organizations have historically focused their attention on network security rather than web application security, and it may seem that PCI deadlines are coming out of nowhere and that businesses are scrambling to achieve PCI compliance. But the fact is, your business should have ensured that all of its web applications were secure from the beginning. PCI compliance shouldn’t be viewed as a checklist, because then all that will happen is that unreliable fixes will be applied to problems. Instead, the concept of web application security needs to be implemented within the web application itself. When web application security is implemented properly, the PCI compliance requirements related to web application security are automatically met.
As a result, the development and QA teams at businesses need to be focused on web application security. It may be that businesses will need to take their web applications and break them down from the start, rather than trying to install patches and fixes for PCI compliance.
Another section related to PCI compliance that could cause problems to a merchant, states that security scans must be done on a regular basis. If instead of fixing web application security issues internally, patches had been installed as an afterthought, these scans could become nightmarish because they will identify hundreds of issues that will need to be fixed. Better to take the time up front to build in web application security measures and avoid this problem altogether.
Businesses that process credit cards are likely already aware that they must be PCI compliant – but they may not have worked very hard to make sure that they are. In 2008, one of the subsections of PCI compliance became mandatory, and businesses have to evaluate their web applications very carefully. By ensuring that web application security is built from within, rather than by adding on fixes that will only work in the short term, businesses will find that not only are they compliant with one part of the PCI standards, but that they are compliant with all of them, and that their customers’ data is secure across the board.
Retriever assists our customers with their compliance questions. Building it right from the ground up is the safest and best way to assure the safety of your client’s information. Choose a firm with a robust PCI Compliance program that offers scans and indemnification in case you are compromised. To Your Success,