PCI logo will benefit hackers and not give any benefit to consumers, as it will be spoofed
A logo to show compliance with the Payment Card Industry Data Security Standard (PCI DSS) could lead to problems for merchants with an opportunity for hacking.
Following claims last week that there should be a compliance logo for accredited merchants to display, Jan Fry, head of PCI at Pro Check Up Labs, claimed that it would inform a potential attacker on what sort of business it is.
Fry said: “The creation of a PCI logo highlights a number of concerns, the first of which being that an attacker will be able to determine that a company is probably processing enough credit cards to make an attack worthwhile.
“The attacker will also be able to make assumptions about what is likely not to be in place (network encryption) and has been used successfully before in PCI attacks (still not fixed), and fine tune his attack to take advantage of this - possibly SQL command injection to install listening malware to capture card details.”
Fry also claimed that no benefit would be brought by the introduction of the logo, even though it would 'spread the word to consumers and give them a sense of security', this could be a false sense of security as there is nothing to stop a fraudulent website from using the logo.
He also claimed that PCI DSS compliance is really not something to be proud of, and asked what organisations were doing with credit card data before PCI DSS came along?
Fry said: “A recent podcast put it very succinctly when it said 'compliance is a by-product of good security practise'. The standard in many areas provides a very basic level of security and is not without its flaws. So achieving compliance is not some holy grail of security. Not even close.
“The standard is not about ‘competitive leverage'. Again, companies should have been fulfilling many of these requirements before the standard came about. Whether or not your rival is compliant should not matter. It is your responsibility to protect your customers' card holder data. What somebody else does or does not do is irrelevant.”
He claimed that while some organisations have invested money into ensuring compliance, undoubtedly some organisations will need to invest a lot of money, simply because of the complicated nature and size of their business. However other organisations can gain compliance with some simple re-organisation and thoughtful use of freely available applications“More often than not, there will be no need to invest buckets of money on a magical device that solves a small fraction of your compliance headaches,” said Fry.