Payment Card Industry Standard under Attack?

Jennifer deJong
June 10, 2008 | COMMENTS

It's the same old story: Retailer gets hacked, thief gets away with the credit card data. But the latest security breach to make headlines adds a twist. The merchant that got hit was certified compliant with PCI DSS, the Payment Card Industry Data Security Standard designed to ward off such attacks.

“They were compliant and they got hit anyway,” Cenzic vice president of marketing Mandeep Khera said, referring to the Hannaford Bros. supermarket chain of New England, which reported in March the theft of 4.2 million individual customer credit or debit card numbers. “PCI is a little bit of a sham. It gives [businesses] a certificate, which may or may not protect you,” the consumer.

SD Times asked application security toolmakers and other experts whether PCI DSS itself is under attack, in the wake of the breach of a certified retailer. Their response: The standard needs to be more specific when spelling out best practices for securing credit card data. Such guidelines as “Review custom application code to identify coding vulnerabilities” are so broadly stated they are subject to interpretation, they asserted.

But the experts also said that although it's important for the standard to keep evolving, pointing to the Hannaford breach as a failure of PCI DSS is too simplistic.

“Security is not a static thing,” said Gary McGraw, chief technology officer for security consultancy Cigital. “You get certified at a certain point in time, but your posture has to [continually] change according to what is going on in the threat space.”

That means a retailer can be “compliant on Monday, and in violation on Tuesday,” added Tom Mahoney, director of Merchant911.org , a website that publishes information meant to help online merchants prevent credit card fraud.
 
If anything, the breach of a PCI DSS-certified retailer helps application security providers and consultants bolster their own message that hasn't taken hold as rapidly as they would like: Writing, deploying and maintaining secure applications demands a continuing effort that begins at the outset of the development process. That is an infinitely more complex undertaking than simple compliance with PCI DSS is, they admit.

“PCI was not intended as the sole measure to ensure security,” explained Jack Danahy, chief technology officer for application security toolmaker Ounce Labs. “Hannaford's [embarrassment] helps organizations become more sensitized about this issue.”

HP security consultant Joey Peloquin said that PCI DSS is “a brilliant first attempt that a majority of merchants can adhere to. But what do they mean by ‘review code'?” he wondered. “They don't say, ‘Hire a consultant to review code by hand.' They don't say, ‘Run [an application security tool] to do that.' ” It's a good step forward, but it's vague, added Cenzic's Khera. “PCI DSS is so high-level there is not much clarity.”

Cenzic sells application security tools; HP acquired its own line by purchasing SPI Dynamics last year.

Glenn Boyet, director of marketing and communications for the PCI Security Standards Council, which manages PCI DSS, said an update to the current, version 1.1 is expected in September. Further details were not made available. The council is composed of payment card issuers American Express, Discover Financial Services, MasterCard WorldWide, Visa International and others. Payment card issuers can fine merchants that fail to comply with the standard. Compliance is measured by Qualified Security Assessors, specified by the council.

Spirit of PCI DSS

The best way to interpret the standard—and thus ensure better protection of credit card data—is to follow the basic principles rather than satisfy vague criteria, said Cigital's McGraw. “The spirit of the law says a company is committed to protecting customers' personal information. The letter of the law is a piece of paper that says you are compliant.”

But many retailers subject to PCI DSS focus only on the outward signs of compliance, said Cenzic's Khera. “If you ask them if they are worried about securing their web applications completely, they say: ‘No, we don't care about that right now. We are PCI DSS-compliant, so we won't be penalized by Visa and MasterCard.' ”

Although what's PCI DSS-compliant and what's not is, like any mandate, subject to interpretation, most of the Qualified Security Assessors that conduct audits for the council do a good job, said Roger Thornton, CTO and co-founder of application security tool maker Fortify. “They are relatively rigorous, relatively fair and relatively consistent,” he said. McGraw didn't disagree, but he noted, “There is no accreditation board for the people doing the certifying. One firm says ‘Fine.' Another says ‘Fix the following 18 things.' ''

Still, PCI DSS specifies best practices for access control, encryption, network security and secure coding, making it “far and away the most comprehensive security standard,” Thornton said. It's important to view it for what it is: a regulatory standard that offers guidance. “PCI has done a good job of that.”

Obviously, PCI DSS can't demand too much of merchants too fast, added Ounce Labs' Danahy. “This has to be an incremental approach to be successful. Version 1.0 raised awareness; 1.1 added practices to ensure secure coding. We expect [requirements] to be increased gradually. Doing it all at once would be insurmountable for retailers.”

This story was originally published in SD Times at www.sdtimes.com, a news source for software development managers. SD Times is owned by BZ Media LLC. For more information, e-mail info@bzmedia.com or call 631-421-4185. Reprinted with permission.