eWeek Security Watch
Advertisement
Advertisement
February 26, 2009 11:31 PM

PCI Chiefs Defend Standard(s), Plans



It's a gross oversimplification of an utterly staggering technical and social challenge, and he knows it as well as anyone, but it's hard to argue with PCI Security Standards Council General Manager Bob Russo's assertion that when it comes to improving electronic data security and related matters of individual privacy, "something is much better than nothing."

Since the massive, potentially record-breaking security breach at Heartland Data Systems in late January, the Payment Card Industry Security Standards Council and its DSS (Data Security Standard) have been put under a microscope and criticized for foisting on companies an impractical IT security mandate that detractors say does not actually meet its goal of making it harder for companies that handle credit and debit card data to be fleeced similarly to Heartland.

Some highly respected security researchers and practitioners have come out since the Heartland robbery and questioned the viability of the entire DSS effort, perceived as being out of touch with real-world IT environments and insufficient to help organizations avoid exploitation. A handful have gone as far as saying it actually makes the process even harder.

And after all, here's a Tier 1 company that's likely had to push to abide by the technological and process-oriented stipulations required under the PCI Standard as much and as long as any other, and it just got positively hammered.

However, visiting Boston on a media tour organized to share some new elements of the PCI Council's larger plans the week of Feb. 23, Russo and new PCI Security Standards Council Chairman Lib de Veyra -- an executive at and appointee of JCB International Credit Card -- made a lot of credible points. Mostly, because they firmly recognized the reality that no standard is perfect and that DSS as it exists is only a first step in a long evolutionary process.

Not to be misinterpreted, the PCI Council is satisfied with what it's put in place thus far, given the challenge at hand, Russo and de Veyra said.

The parts of DSS that need to be tweaked to address the vast diversity of infrastructure and applications employed by all the retailers, merchants and processors, as well as all the techniques utilized by attackers, will be addressed by taking feedback directly from the very companies that must comply with the standard, the PCI Council representatives said. (And truthfully that has been at the very least a consistent message of the organization all along.)

A number of powerful banking, retail, technology and government players are also involved in the PCI Advisory Board.

And the Heartland incident, as well as those reported at other companies that have been at some time certified as PCI compliant, including TJX Companies and Hannaford Brothers, in no way proves that the standard is clearly lacking in some specific area, they said.

The PCI leaders said in addition to having not yet shared specific details with the Council of exactly how they were individually victimized by fraudsters, the fact that these companies were at one time judged to be in conformity with DSS in no way guarantees that they were at the time they were attacked.

"Just because a company gets a clean bill of health today doesn't mean they can't be infected tomorrow," de Veyra said. "Organizations are making configuration changes and broadening adoption of technologies like wireless all the time; the guidelines in DSS are something that you have to continue to monitor and maintain all the time."

And many of the Council's initiatives, including plans to launch two new standards aimed at improving embedded security features, or "host security modules," built into card data transaction processing hardware, and regulations for UPTs (unattended payment terminals) such as gas pumps and ticketing kiosks, will help push the entire industrywide process forward, they said.

The PCI Security Standards Council will also continue to push DSS overseas, in Europe and APAC specifically, where the guideline has faced some resistance from card handlers. But the effort launched by the world's largest card companies -- American Express, Discover, JCB, MasterCard and VISA - remains undaunted in its pursuit, PCI's chief spokespeople said.

"Addressing the criticism comes down to communication; once we have enough information from companies like Heartland to truly examine what happened, we can understand how it relates to DSS," de Veyra said. "And working with all the companies on our Advisory Board, meeting with them and incorporating their feedback over time, will be the most important aspect of maturing the standards."

Another new element of DSS will be a technological tool, a sort of stripped-down PCI diagnostic application provided by the Council to offer organizations still getting started with the standard a more "prioritized approach to DSS."

The Prioritized Approach tool will help companies track their ability to meet basic milestones of achieving compliance with DSS, the representatives said. The first three steps -- preventing the improper storage of electronic data, securing the network perimeter and securing applications -- have obviously been proven hard to accomplish for many organizations, and some might argue most or even all.

But most importantly, the idea is to promote gradual coalescence of a world where every company affected by the PCI mandate has at least greatly augmented and formalized its approach to, if not its execution of, securing electronic data, the leaders said.

"No standard is ever going to completely stop what we're seeing right now with cyber-crime, but the reaction we've seen to PCI after some of these incidents like Heartland has been absolutely unfair, because we don't even know if they were compliant," Russo said.

In terms of whether incidents like the breaches at Heartland, TJX and Hannaford Brothers have damaged public perceptions of DSS, the industry veteran said, as in any case, there is no shortage of opinions.

"You can sit there and look at it from one side and say, you have this standard but these incidents have still happened, and that proves something isn't working," Russo said. "But what you don't know at the same time is, If we didn't have DSS as it stands in place, how many more of these incidents might we have had?"

I'm sure that there are valid criticisms of various aspects of PCI -- some very smart people have spent time voicing their questions already.

But, I'm curious to know whether they'd agree at the end of the day that something is better than nothing.


Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

Posted by Matthew Hines on February 26, 2009 11:31 PM

| Comments (3) | del.icio.us | digg.com | Trackback | Post a Comment
TrackBack

TrackBack

http://securitywatch.eweek.com/cgi-bin/mte/mt-tb.cgi/16551

Comments (3)

mdubh :

Yes, something is usually better than nothing, unless it creates a false sense of security or it diverts scarce security resources away from the areas of greatest need (FISMA?). PCI DSS is one of the better standards out there.

Russo and de Veyra make valid points about a compliance audit being a snapshot of a point in time and the unknown compliance state of the companies at the time of the breaches, and the strong possibility that the existance of the standards has prevented many further breaches from ever occurring.

However, until end to end encryption is mandated and enforced, I suspect that we will see a lot more of these breaches.

Posted by mdubh | March 2, 2009 5:51 AM

Char Sambunjak :

Although I understand the meaning behind the simplistic statement "something is much better than nothing," I would think that some other, more powerful, message would be coming out of the mouth of a PCI chief. "Something is better than nothing" may suggest that most merchants treat this casually and are doing nothing to protect themselves -- so it's better to have "something". This doesn't get the seriously important message across the way I would want to as a representative whose company is part of the payment card industry. I would want to stress something along the lines of information security being a CONSTANT behavior for the privacy and safety of all.

Posted by Char Sambunjak | March 5, 2009 10:21 AM

Matt Hines - Blogger :

Char, thanks for the comment. I should be perfectly clear, the gentlemen from PCI Council sat there and outlined very specific elements of the standard at great length and with the utmost seriousness -- the concept of security being anything approaching a casual pursuit for the organizations required to comply with DSS was nowhere near their actual inference.

In trying to make the blog conversational, I chose easily the least substantive sentiment that was expressed, and that was offered in response to my own recognition of a set of broad points they had just outlined around the gradual evolution of improving security among such a wide range of organizations -- and that so many organizations were not as committed to data security as they might have been before PCI came to be.

I wouldn't want Bob and Lib to be painted as oversimplifying the issue and I tried to make that clear. I hope my attempt to get cute with the language doesn't misconstrue what they actually had to say.

Posted by Matt Hines - Blogger | March 5, 2009 12:17 PM

Post a Comment

 
 
RSS Syndication

Security News

Advertisement

TLD regulation

Adware

Android

Apple

Applications Whitelisting

AV tools

Backdoor

BlackBerry

Blacklisting

Blended attack

Botnet CnCs

Botnets

Browsers

CAG

China

Cisco

click fraud

Cloud computing

Conficker

Corporate espionage

Cyber-war

Data Breach

Data Security

Data securityAdd category

Database security

DDoS

Disaster Planning

domain registration abuse

e-banking fraud

eBay

Enterprise security strategy

Ethical hacking

Exploits and Attacks

Facebook

File-sharing

Flaws

Google

Government standards

Hactivism

ID theft

Identity fraud

Identity Theft

iframe

Illegal pharmacies

Industry events

Infrastructure security

Internet regulation

Intrusion Detection/Prevention

iPhone

ISPs

Java

MAAWG

Malware

Malware toolkits

Mergers and Acquisitions

Messaging security

Microsoft

Microsoft Windows

Mobile malware

multimedia

NIST

Online malware

Open Source

Oracle

Patches

Phishing and Fraud

PowerPoint

Privacy

Product Reviews

Products

Regulation

Risk Management

Rogue AV

Rootkits

RSA Security Conference

Russia

SaaS

SCADA

Search

SEO

SEO poisoning

Smartphone security

Social engineering

Social networking

Spam

SQL injection

Trojan attacks

Twitter

video games

Virus and Spyware

Vulnerability Research

Web 2.0

Windows 7

YouTube

Advertisement
Security Watch     Contact Us | Advertise | Site Map
eWEEK Quick LInks

Security:
Enterprise Security
Network Security
Infrastructure Security
How To: Data
IT Security News
Cheap Hack Blog
Security Watch Blog
Storage:
Data Storage
Cloud Storage
Storage Virtualization
Network Access Storage
Storage Reviews
Data Storage News
How To: Storage
Storage Station Blog
Computing:
Apple OSX
Linux Systems
Windows Vista
Managed Print Services
Cloud Computing
PC Reviews
Microsoft Watch Blog
Apple Watch Blog
Google Watch Blog
Communications:
VoIP Solutions
Wireless Technology
Messaging Software
Web Services
Mobile Applications
Wireless News
Mobile Reviews
Apps & Development:
Application Development
SAAS
Search Engines
Database Software
Web 2.0
IT Project Management
Emerging Tech Blog
CIO Insight Blogs
CIOs

Vertical Markets:
Federal Government IT
Health Care IT
Finance IT
Mid-Market
Channel Partners
Careers Blog
Value Added Resellers
More eWeek Links:
Tech Knowledge Center
Tech Newsletters
Tech RSS Feeds
White Papers
Tech Podcasts
Tech Videos
Green IT
eWeek Magazine Subscriptions
Enterprise Websites:
ZDE Home
Baseline
Channel Insider
CIO Insight
eSeminars
eWeek Mid-Market
Publish Online
Web Buyers Guide
Developer Websites:
Dev Shed
DeveloperShed
ASP Free
MS DevSource
SEO Chat
Codewalkers
Tutorialized
Scripts.com
Dev Mechanic
Dev Articles
Web Hosters
Dev Hardware
Technology Websites:
Device Forge
Desktop Linux
Linux Devices
Windows for Devices
iGrep Search Engine
PDF Zone
Linux Watch

Use of this site is governed by our Terms of Use and Privacy Policy
Copyright ©1996-2008 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. eWEEK and Spencer F. Katt, and eWeek Security Watch are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.
eWeek is your best source for the latest Technology News.
Hosted by Hostway.

Ziff Davis Enterprise