Secerno Issues Warning About Light Weight PCI Standard Update
Secerno has issued a warning to retailers and consumers alike regarding section 6.6 of the PCI standard that takes effect on June 30th. The measures that the update requires – either installing firewalls around Internet-facing applications or having all customer application code reviewed for common vulnerabilities – are undoubtedly a useful step, forwarding any security strategy. However, Secerno argues that, with its perimeter focus, the section fails completely to provide any safety provisions against the rising and detrimental threat of insider breaches and theft of data. The insider threat covers everything from employees who have financial or other motives to obtain and sell data through to criminals who infiltrate an organisation with the sole intention of stealing information.
Retailers, which have seen consumer confidence eroded by a series of well-publicised breaches, are viewing PCI as a means to win back trust and alleviate fears of having consumer data stored internally. However, in the face of increasing insider threats, the PCI Requirement 6.6 and the overall standard remain ineffective for security. Even as a prescription for external attack prevention, PCI falls short – allowing cyber-criminals access to data that they can immediately use. The Hannaford breach is a perfect example of data being targeted and stolen specifically for fraudulent means. By the time the breach was realised, 4.2 million credit cards had been compromised, despite the supermarket chain being fully PCI compliant.
Secerno is calling on the retail industry to do the following:
• Mandate more stringent controls at the database itself, to actually achieve what PCI intends – protect stored credit card and other consumer financial data.
• Mandate a universal definition of a data breach that works to the consumer's benefit. The definitions and reporting requirements for data loss vary widely and many times the consumer learns about the breach months after its occurrence.
• Do not fall victim to believing in only one type of threat – and that it is external. Internal threats are on the rise, and the PCI standard does not take private networks into account.
"The PCI Data Security Standard has the best intentions, but as is the case with many compliance directives, it barely addresses the most immediate and upcoming threats to consumer data", said Paul Davie, Founder of Secerno. "PCI was historically written for ecommerce rather than general retailers where breaches have actually been taking place. It is generally inadequate for addressing the sort of internal threat that can be exploited easily, such as by general or privileged users. The standard says nothing about any malware other than viruses, it says nothing about encrypting internal data, it says nothing about protecting data on private networks and it says nothing about securing the database. Unfortunately, the internal threat is PCI's blind spot."
write your comments about the article :: © 2008 Computing News :: home page