"On June 30, another refresh of the Payment Card Industry (PCI) Data
Security Standards (PCI DSS) will upgrade Web application security
testing from a best practice to a mandatory practice. The deadline
forces merchants and vendors to take a closer look at application-layer
security and emphasizes its importance in fighting increasing online
threats.
The Payment Card Industry Data Security Standards were
developed by the five leading payment card brands – American Express
Co., Visa International, MasterCard Worldwide, Discover Financial
Services LLC, and Japan-based JCB International Credit Card Co. Ltd –
now organized as the PCI Security Standards Council, to ensure the
protection of consumer credit card information and to set a global
standard for security."
"The original PCI documentation stated that “the most elusive
vulnerabilities are those introduced through custom-developed
e-commerce applications.” Gartner Inc. has estimated that 75 percent of
online attacks target Web applications, specifically. As such, the new
PCI mandate recognizes the critical importance of securing applications
in an effort to maintain a vulnerability management program by offering
more clarity around what is required for Web application security
compliance.
It mandates that all web applications are protected against
known attacks by applying either application code review or a web
application firewall. To further clarify the requirements, the PCI
security Standards Council issued an addendum in April of this year
explaining what qualifies as a code review: 1) manual review of
application source code; 2) proper use of automated application source
code analyzer (scanning) tools; 3) manual Web application security
vulnerability assessment; or 4) proper use of automated Web application
security vulnerability assessment scanning tools."
Article Link: http://www.net-security.org/article.php?id=1143
