A recommendation that merchants using Web applications, such as shopping-cart software, use a firewall and have all customized software reviewed for vulnerabilities becomes a Payment Card Industry Security Standards Council mandate on June 30. Known as requirement 6.6, the measure is intended to prevent common methods of attacking such software, Troy Leach, the Wakefield, Mass.-based council's technical director, tells CardLine sister publication ISO&Agent Weekly. "They're really becoming the most-popular methods for accessing and breaking into different types of retailers and merchants, especially among the less-sophisticated Internet and e-commerce sites," Leach says. Using one such method, the hacker attempts to get an online database to reveal more than it should by entering codes that trick the software. Leach says the council kept requirement 6.6 as a best-practice recommendation until now to give retailers time to prepare as they dealt with other elements of the Payment Card Industry Data Security Standard.