PCI DSS Failures

We’re going to keep seeing Payment Card Industry security failures. This isn’t because the Data Security Standards are weak; they’re quite good. But they fail on implementation. At least they do if you are using one of the “sanctioned” certification tracks.

Because PCI recognized early that many industries were not capable of adequate testing and preparation, they authorized a number of companies to do certification testing for companies that couldn’t handle it, or in some cases, simply to offer a streamlined solution to charge card processing entities. And that’s where the failure is.

At least one of these “certifiers” (who shall remain nameless to protect the inept) is using a methodology to certify an organization as PCI compliant that utterly fails to validate security in the tested organization.

The method works like so: 1) point a vulnerability detection utility at said company’s external gateway. 2) document any failures. 3) answer some questions on paper about what’s going on inside said organization.

It may be streamlined, but perhaps a little too streamlined. There is no validation except on paper of anything internal, and there is no serious effort to inspect external security. There certainly isn’t any investigation of what genuine hardworking threats will do to obtain PCI information.

While the paper test asks about such things as password strength, encryption, and patching, it fails to validate the claims. While it examines the accessibility of the organization via their primary gateway, it fails to check for anything more complicated than open ports.

Given that the vast majority of compromises come from attacks originating from spyware brought in via email and http traffic, how does any of this testing provide a valid indication of how secure an organization is? It doesn’t.

All it’s going to do is annoy organizations that practice real security, miss organizations that simply don’t care, and locate only organizations that are utterly inept. Of which there should be very few.

What it doesn’t do is increase the security of PCI data. The organizations themselves are already doing that, so what’s with the pointless testing? Test for real problems, validate actual configurations, or don’t do anything. Because failing after creating a false sense of security is still failing.

And after so much work to create a really nice standard, wouldn’t we want it done right? Implement genuine validation efforts at the inspection level.

Digital Trust

This blog and it’s contents copyright 2009 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems. Any republication or reuse is forbidden if the Digital Trust name is removed.