PCI compliance accused of becoming meaningless if it is not correctly enforced
The requirements for PCI compliance have been described as ‘woefully inadequate'.
Paul Henry, security and forensic analyst at Lumension, claimed that breach after breach of credit card data has become all too commonplace, and PCI should raise the bar and increase the minimum acceptable standards to become compliant in light of these many failures.
Pointing to the Heartland incident, Henry stated that PCI had ‘failed to adequately address consumer risk by not mandating end-to-end encryption as part of its requirement, allowing the use of compensating controls in lieu of encryption in order to spare those under PCI requirements from the expense of properly securing the data they were entrusted to protect'.
He also claimed that one of the hot topics in PCI compliance was the requirement for a firewall. With most people in the industry recognising the need for an application layer firewall, PCI still only required a packet filter. When they finally increased the firewall requirement to add 'an application firewall', the standard failed to properly define specifically what an application firewall was.
Henry said: “Hence, you could simply layer IDS signature on top of your packet filter and call it an application firewall and meet the requirement. A real opportunity to raise the bar for the good of all was completely missed – for no other reason than perhaps to reduce the cost of being PCI compliant.”
As cybercriminals have improved their tactics in terms of exploits before a patch is released, Henry said that card processors should to evolve their patch lifecycle testing process in order to bring it in line with the current risks posed by the bad guys to decrease the time to create an exploit.
“Simply put, at a time when cybercriminals only now need a day to create an exploit we need a shorter mandatory timeframe for critical patch deployment, not a longer time,” said Henry.
He concluded by claiming that PCI compliance is at risk of becoming nothing more then a form of ‘get-out-of-jail free card' for merchants and processors that meet a below grade standard in achieving PCI compliance.
Henry said: “It is moving yet further away from protecting cardholders'/consumers' interests, which in my opinion should be the primary if not the only focus of PCI. PCI and the industry must raise the bar and not seek to lower it or be faced with a greater risk of governmental regulation, a potential greater risk to the industry as a whole.”