Page 3

By Lisa Vaas  |  Posted 2007-10-10 Print this article Print

Alternatively, credit card companies could require a PIN number with card transactions, Mogull said, or they could transition away from cards with magnetic stripes to smart cards, as is happening in Europe. Mogull said he sees a number of problems in addition to credit card companies ignoring the potentially more secure technology that doesnt fit under PCI.
For one, he agrees with Grossman about the pressures on ASV vendors. "Theres competition to get business," he said. "To do that, companies flat-out say, You have to offer a competitive price, and if youre too tough well go to somebody who will pass us."
Another problem with PCI is the lack of clarity in the standard, he said. One example is encryption. The PCI standard dictates that credit card numbers be encrypted, truncated, obfuscated or not kept at all. But if a merchant chooses encryption, what does that mean, exactly? Database-level encryption? Field-level encryption within a database? Encryption on database files? "One provides more [security] than the other, but the standard doesnt differentiate," Mogull said. "There were times where we literally couldnt get answers out of Visa regarding how things are supposed to be enforced." To read about the cost of the TJX consumer data breach, click here. Another problem concerns what are known as compensating controls. An example of a compensating control under SarbOx would be when a company argues against the need to monitor administrators of a financial database because any wrongdoing would be caught in an audit process on the back end that can validate a transaction. Everybody uses these compensating controls, Mogull said, but they constitute a "real gray area." Mogull said he sees another glaring flaw in the PCI system: namely, the conflict of interest involved in maintaining a group of security assessors who also sell the technologies to remedy the vulnerabilities they find. "Not only are [the ASV vendors] performing audits; theyre providing services to make [merchants] compliant," he said. "The SEC restricts that [in the financial industry]. You cant be an auditor of record and provide consulting services, for example. … Thats a huge conflict of interest." The PCI Security Councils Russo defended the Councils use of technology vendors as assessors, saying theres "nothing in our rules that indicates if you got scanned by a company you should use them for remediation." The Council also has rules stipulating that a vendor suggest a class of products to address a vulnerability, rather than solely recommending its own product. "There have been no incidents—at least not reported to the Council—that would make us go out and change the whole paradigm," Russo said. Give credit where its due, at any rate: PCI is improving security, warts and all. "It is at least forcing companies to take another look at security," Mogull said. "I may complain about PCI but if they have to pass it to improve security its good for consumers. And shareholders, and business." Specifically, Mogull said he has worked with customers that use point-of-sale terminals—the technology that tripped up TJ Maxx. He said PCI is slowly improving POS system use, as well as telephone transaction security and back-end systems, forcing improvements steadily through the credit card processing ecosystem. "We see a lot of stores now that used to have POS terminals not protected in the stores, but big retailers are now encrypting that [data]," he said. "They never did that before. Some still arent. Ive seen some real messes out there. But you cant fix it all overnight, I guess. At least people are paying more attention than they used to." Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel