Security Experts

By Lisa Vaas  |  Posted 2007-10-10 Print this article Print

: Merchants Racing to the Bottom for PCI Certs"> Security experts are starting to grumble about the Payment Card Industry Data Security Standard, saying that some merchants just want to get PCI-certified as cheaply and easily as possible—and that the PCI certification system is set up to help them do just that. "The entire system seems to be set up not to find vulnerabilities," Jeremiah Grossman, chief technology officer and founder of WhiteHat Security, based in Santa Clara, Calif., and one of 135 security firms on the PCI Security Councils list of ASVs (Approved Scanning Vendors), said in an interview with eWEEK. "Weve had customers that wanted to debate the severity of certain issues because they needed to pass PCI. We sent them to another vendor we thought would pass them more easily. The last thing I want is a customer to get hacked on a vulnerability I didnt find."
Grossman recently posed the question of whether a company informed of a SQL or XSS (cross-site scripting) vulnerability in its Web site, either privately or via public disclosure, would be legally obligated to fix the issue, and whether such a companys compliance status with PCI-DSS (or the Sarbanes-Oxley Act or Health Insurance Portability and Accountability Act, for that matter) would be jeopardized if it neglected to fix a vulnerability that could lead to the disclosure of private data.
Click here to read more about why merchants are dealing with the same weaknesses causing PCI failures. In brief, the answer is no—an organization faces no legal responsibility to fix a vulnerability. Existing laws stipulate the requirement that people be informed when data is breached. But there is nothing forcing a company to fix something before it leads to data being compromised. The reason Grossman wanted to know the answer to that question, he told eWEEK, is that too often in client engagements, a companys IT staff will ask him for leverage so they can pressure an organization to fix its security holes—something that upper management all too often doesnt want to do. "I work with security guys as customers," he said. "Theyre all for fixing [vulnerabilities]. But there isnt any legal [compulsion to do so]. For the most part, [merchants] are looking for the cheapest, lowest-quality provider. There [are] no repercussions" for a security assessor who looks the other way from vulnerabilities a more careful assessor would catch, he said. "In the case of PCI-DSS, it seems to me merchants are compelled to pass their quarterly scans using whatever shoddy ASV they can find who is most likely to find the least," Grossman said in an Oct. 9 posting. "This is perpetuated because as far as we can tell, there are no penalties for ASVs that weve seen and theyre incentivized to find less because thats what the merchant desires. Great." Others agree. "From my perspective, many [merchants] have a lot to lose if they are not secure and really strive to be secure," wrote a respondent to Grossmans post with the moniker of Adrian. "But, yeah, half just want a passing grade at the lowest possible cost." The problem, Grossman said, is there are no repercussions if an ASV passes a retailer and slaps a PCI certificate on the merchant only to have that same merchant wind up experiencing a security breach. "If the company gets breached that happened to be PCI-compliant, is there any investigation into the security assessor [that passed the company for certification]? Anybody can miss a vulnerability. But what if its a pattern?" Page 2: Security Experts: Merchants Racing to the Bottom for PCI Certs

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel