Visa USA hopes to get its 100 largest E-commerce merchants, which represent 70% of the company's U.S. sales, to fully implement the requirements by May 1. For online merchants that can't prove compliance by then, Visa expects an action plan with "reasonable" target dates for compliance, Bruesewitz says.

For some E-merchants, complying with the 12 requirements won't be easy and will require both technical and managerial acumen. "The biggest challenge is the encryption of credit-card information in a database," Bruesewitz says.

The cost of security isn't cheap, but the total cost of ownership for security isn't primarily for infrastructure. Though the firewall industry alone topped $1 billion in sales last year, a February report from market-research firm Infonetics says the most important security costs occur after security technology is purchased and installed.

"The real expense is the ongoing commitment to maintenance and upgrades. The cost of purchasing the technologies is small compared to the cost of corporate commitment," says Corby. This sentiment is echoed by security consultant Jason Fossen (see story, p. 72), who recommends that security administrators subscribe to mailing lists and stay abreast of security alerts and patches on a daily basis.

Denial-of-service attacks, flaws in server software, and problems with Internet services are reported weekly, and sometimes daily, and that makes it difficult for IT security managers to determine how important those flaws are to their particular site. A new area of cost concern arises when it comes time to prioritize the stream of security vulnerabilities and issues that need to be resolved.

There are several Internet databases that archive security vulnerabilities, but Cisco's Secure Encyclopedia actually helps security personnel prioritize potential problems. The free service is a database that helps consultants and security professionals prioritize vulnerabilities by relating security faults to specific industries.

One of the primary reasons for the success of recent security break-ins is that companies don't have the time and resources to properly fix their security infrastructure, so tools such as the Cisco Secure Encyclopedia can be important in determining how best to allocate available resources to fix vulnerabilities.

To help decision makers prioritize the security vulnerability statistics they've gathered, the encyclopedia uses Cisco's own data warehouse, which contains more than three years of data compiled by testing customer sites for security flaws. To rank the seriousness of vulnerabilities, the encyclopedia makes a distinction between internal and external ones.

Internal vulnerabilities aren't directly accessible from the Internet, while external vulnerabilities are. The Network File System, for example, may be vulnerable when tested from within the company network, but it isn't normally accessible from outside the firewall. While external vulnerabilities are typically the ones that come under direct attack from outside the enterprise, both employees and successful outside attackers can exploit internal vulnerabilities.

The Cisco Secure Encyclopedia came about because Cisco consultants found that while they could determine vulnerabilities that existed at customer sites, they often couldn't determine which vulnerabilities were most important to customers.

"Unless the consultant has been entrenched at the customer site for a long time, it's rather impossible for an outside consultant to come in and understand the business processes of the client," Fuhrman says. "We highlight what we think are the most egregious security holes, but those don't always line up with what the customer thinks are most important."

Reasons for prioritization vary, but one reason that can't be ignored is marketing. Security is playing a more important role in marketing business-to-business services, as well as consumer services. Companies find that they need to inspire confidence with their customers by maintaining parity with their competitors. Thus, a company may prioritize fixing a particular service or set of services that are used, say, to communicate with its business partners, even if more statistically serious problems exist in other areas of its infrastructure.

The Cisco Secure Encyclopedia, along with many other tools, is moving to the Common Vulnerabilities and Exposures naming convention, which is an attempt to apply a common naming scheme to known security vulnerabilities. Once vulnerabilities have a common name associated with them, security tools and databases will be able to easily index and refer to them, facilitating communication and awareness. Such awareness, and ongoing commitment to security, is what businesses need--and what their customers demand.