: Merchants Racing to the Bottom for PCI Certs"> Security experts are starting to grumble about the Payment Card Industry Data Security Standard, saying that some merchants just want to get PCI-certified as cheaply and easily as possible—and that the PCI certification system is set up to help them do just that.
"The entire system seems to be set up not to find vulnerabilities," Jeremiah Grossman, chief technology officer and founder of WhiteHat Security, based in Santa Clara, Calif., and one of 135 security firms on the PCI Security Councils list of ASVs (Approved Scanning Vendors), said in an interview with eWEEK.
"Weve had customers that wanted to debate the severity of certain issues because they needed to pass PCI. We sent them to another vendor we thought would pass them more easily. The last thing I want is a customer to get hacked on a vulnerability I didnt find."
Grossman recently posed the question of whether a company informed of a SQL or XSS (cross-site scripting) vulnerability in its Web site, either privately or via public disclosure, would be legally obligated to fix the issue, and whether such a companys compliance status with PCI-DSS (or the Sarbanes-Oxley Act or Health Insurance Portability and Accountability Act, for that matter) would be jeopardized if it neglected to fix a vulnerability that could lead to the disclosure of private data.
Click here to read more about why merchants are dealing with the same weaknesses causing PCI failures.
In brief, the answer is no—an organization faces no legal responsibility to fix a vulnerability. Existing laws stipulate the requirement that people be informed when data is breached. But there is nothing forcing a company to fix something before it leads to data being compromised.
The reason Grossman wanted to know the answer to that question, he told eWEEK, is that too often in client engagements, a companys IT staff will ask him for leverage so they can pressure an organization to fix its security holes—something that upper management all too often doesnt want to do.
"I work with security guys as customers," he said. "Theyre all for fixing [vulnerabilities]. But there isnt any legal [compulsion to do so]. For the most part, [merchants] are looking for the cheapest, lowest-quality provider. There [are] no repercussions" for a security assessor who looks the other way from vulnerabilities a more careful assessor would catch, he said.
"In the case of PCI-DSS, it seems to me merchants are compelled to pass their quarterly scans using whatever shoddy ASV they can find who is most likely to find the least," Grossman said in an Oct. 9 posting. "This is perpetuated because as far as we can tell, there are no penalties for ASVs that weve seen and theyre incentivized to find less because thats what the merchant desires. Great."
Others agree. "From my perspective, many [merchants] have a lot to lose if they are not secure and really strive to be secure," wrote a respondent to Grossmans post with the moniker of Adrian. "But, yeah, half just want a passing grade at the lowest possible cost."
The problem, Grossman said, is there are no repercussions if an ASV passes a retailer and slaps a PCI certificate on the merchant only to have that same merchant wind up experiencing a security breach. "If the company gets breached that happened to be PCI-compliant, is there any investigation into the security assessor [that passed the company for certification]? Anybody can miss a vulnerability. But what if its a pattern?"