What is the Value of Your Credit Card Details?
In an effort to increase the perceived security of online credit card transactions, the major credit card providers have been working for a number of years on the PCI Data Security Standard - a set of guidelines that provide a minimum baseline considered secure enough for storing and processing credit card transactions and associated records.
Version 1.1 of the standard was recently released and web security researchers are dismayed at the low standard of security required of vendors in order to be certified as compliant with the PCI DSS 1.1. This normally wouldn't be a problem, but one of the common misconceptions about the PCI DSS is that being certified under it implies a certain level of security exists.
Respected Web Application Security expert, Jeremiah Grossman, points out that a website or vendor only needs to test (and pass) against two of the OWASP Top 10 web vulnerabilities - SQL injection, and XSS.
The Open Web Application Security Project (OWASP) list of Top 10 web vulnerabilities is widely regarded as an accurate and valuable assessment of the most common and riskiest vulnerabilities present in web applications and related content. Limiting compliance requirements to only two of these 10 is being seen as paying lip service to web application threats.
Making matters even more interesting, the PCI standard goes on to list several testing techniques that are not permitted to be used in the process of ascertaining compliance under the two vulnerabilities that should be tested against.
Unfortunately, compliance under the PCI standard is looking more and more like many other standards and industry best practices (ISO 9000, CMM, etc) - a disturbing number of vendors who pass their compliance with flying colours will only be capable of complying within the specific guidelines established in the PCI DSS. Their security and data management practices will be almost as weak as ever, but they can pass their certification with ease.
As pointed out by Jeremiah Grossman, the standard of security promulgated in the PCI DSS isn't really going to stop anyone with the slightest bit of web security attack know-how from getting in, let alone what a financially-motivated attacker is going to be able to achieve.
21 June 2007
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.