By John Leyden
27th September 2007
Efforts by the credit card industry to boost merchant security are
likely to flounder unless tighter regulations are accompanied by
punishments against transgressors.
The Payment Card Industry Data Security Standard (PCI DSS) methodology
aims to improve the security of cardholder data among banks, service
providers and the merchant community. The standard is more prescriptive
and detailed than earlier regulatory regimes (such as Sarbannes-Oxley)
but still leaves plenty of room for interpretation.
Merchants and service providers need to validate compliance against an
audit by a qualified assessor.
But there are major holes in the process of becoming compliant, and even
greater challenges in staying compliant as networks are evolving,
according to panelists discussing the issue at the NetEvents technology
summit in Malta on Thursday. Hundreds of qualified assessors are
attempting to audit hundreds of thousands of merchants, creating a
potential gap in the system.
Neil Hartsell, VP of product marketing at TippingPoint, said that
although the high profile credit card security beach at TJX has stolen
the headlines problems at small merchants also present a severe risk.
For example the link between a card swiping device and a PC in a small
store is often unencrypted, even though the date is encrypted after it
leaves the computer. A keystroke logger planted on such machines
therefore presents a sever security risk.
"The problem is that small shops don't know PCI DSS exists and, if they
do, they don't take the process seriously enough... SMEs are not able to
make these kinds of decisions which ought to be the responsibility of
Michael Bacon, head of information security at Xchanging, said small
merchants using self-assessment will be tempted to just tick boxes
saying they had set up a firewall or secured their network. Part of the
problem is that assessors act more like consultants than health
inspectors. "At the end of the day nothing will happen unless you take
away their accreditation," Bacon said.
Bacon criticised SOX compliance as a "wasted effort" from a security
perspective because it failed to outline tactics for achieving strategic
directions. PCI DSS is better because it outlines best practice, such as
using a firewall and a secure wireless LAN, but doesn't go far enough,
according to Bacon. "It's all very well saying users need to run a class
of product but products need to be certified. There's no one agency to
certify security products," he added.
Bob Walder, chief scientist of NSS Labs, said that many merchants wonder
why they should invest in PCI DSS compliance when it does little to help
them sell more products.
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com