Out of credit

Awareness of the global standard that requires merchants and other businesses to ensure they have networks able to protect credit cardholder data remains low.

Most enterprises are not even aware that their traditional network firewalls cannot protect against application layer attack, according to a report by Forrester.

Payment card ignorance prevails despite more than six months passing since American Express, Visa International, MasterCard Worldwide and other credit card issuers updated the Payment Card Industry (PCI) Data Security Standard.

According to Forrester, the use of Web application firewalls (WAFs) to comply with PCI will become part of global security strategies.

"Improvement in network security means that attackers are commonly probing Web servers and Web applications for an easy way in, and WAFs have grown along with this kind of attack," says the study. The updated PCI (version 1.1) includes 12 requirements seeking to establish a defence-in-depth network strategy at merchants with heavy fines being considered for non-compliance. The requirements include implementing strong access control measures, monitoring and tracking all access to network resources and restricting access to the network on a need-to-know basis.

As PCI impacts every merchant with credit card facilities - that includes tens of thousands formal retailers in the region - it is essential that security vendors educate the market as to WAFs' role in blocking attacks on Web application and why they are necessary in complying with PCI.

"What many firms do not understand is how they (WAFs) differ from a traditional network firewall. Network firewalls look at traffic on a packet-by-packet basis, whereas WAFs look at multiple packets together, modelling the entire session to understand overall application activity," explains the report, which forecasts rapid growth for WAFs.

According to the recently-published Symantec internet security threat report, more than 69% of vulnerabilities affected Web applications. The same study says 77% of easily exploitable vulnerabilities affected Web applications.

The PCI standards, which have to be met by next year. The report expects WAFs to be commoditised by the end of the decade. In the meantime, the merchants have a choice of complying with the standard by installing a WAF, or by code reviewing each individual Web applications used.

Forrester says that although stand-alone equipment will be deployed in the initial phases, gradually the functionality of these devices will be built-in to other equipment. It lists Breach Security, Citrix Systems, F5 Networks, Imperva, NetContinuum and Protegrity as currently the leading WAF vendors.

According to the Symantec internet threat report Underground Economy Servers are being used by criminals and criminal organisations to sell stolen information, including credit cards, bank cards, PIN codes and user accounts.

"As cyber criminals become increasingly malicious, they continue to evolve their attack methods to become more complex and sophisticated in order to prevent detection," says Arthur Wong, senior VP, Symantec Security Response and Managed Services.

"End users, whether consumers or enterprises, need to ensure proper security measures to prevent an attacker from gaining access to their confidential information, causing financial loss, harming valuable customers, or damaging their own reputation."