Retailers covered by the Payment Card Industry data security standard (PCI-DSS) have just about a month and a half left to comply with new requirements for protecting Web applications. But as with previous PCI-related deadlines, this one appears destined to pass with a majority of merchants unlikely to be in full compliance.

After June 30, all merchants accepting payment card transactions will be expected to either use a specialized firewall for protecting their Web applications or to have completed a Web application software code review for finding and fixing vulnerabilities in these applications. Companies that fail to implement either measure will be deemed to be out of compliance with PCI starting June 30.

"Most of our clients are not going to be ready," by that deadline, said Aviva Lintan, an analyst at Stamford, Conn.-based Gartner Inc. "We are amazed at how many companies are still only learning their way around the requirements" and what they call for, Litan said.

With the deadline fast approaching, though, Gartner has seen an uptick in the number of calls it is receiving from clients wanting to know more about the new controls and how to implement them, Litan added.

Section 6.6 of the new PCI requirements (download PDF) basically requires merchants to ensure that all Web-facing applications are protected against known attacks by applying either an application firewall or by completing an application code review -- either manually or by using application scanning tools. The requirements have been recommended best practice for more than 18 months but are now becoming a formal mandate.

According to Litan, many of Gartner's clients are choosing to deploy Web application firewalls instead of going the code review route. "They are looking for quick fixes. Application firewalls are quick fixes" compared to finding and fixing flaws in application software, she said. However such firewalls alone are not enough in the long run, she added: "Application firewalls are a reactive measure. You have a lot of vulnerable applications that still need to be fixed." As a result, companies that want to really secure their Web application environments will need to think beyond PCI compliance. Scanning for and fixing vulnerabilities in Web applications "should be given priority over the use of Web application firewalls, which should be used in addition to, not instead of," code reviews, she said.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.