Security Experts: Merchants Racing to the Bottom for PCI Certs - Page 4

Alternatively, credit card companies could require a PIN number with card transactions, Mogull said, or they could transition away from cards with magnetic stripes to smart cards, as is happening in Europe.

Mogull said he sees a number of problems in addition to credit card companies ignoring the potentially more secure technology that doesnt fit under PCI.

For one, he agrees with Grossman about the pressures on ASV vendors. "Theres competition to get business," he said. "To do that, companies flat-out say, You have to offer a competitive price, and if youre too tough well go to somebody who will pass us."

Another problem with PCI is the lack of clarity in the standard, he said.

One example is encryption. The PCI standard dictates that credit card numbers be encrypted, truncated, obfuscated or not kept at all. But if a merchant chooses encryption, what does that mean, exactly? Database-level encryption? Field-level encryption within a database? Encryption on database files?

"One provides more [security] than the other, but the standard doesnt differentiate," Mogull said. "There were times where we literally couldnt get answers out of Visa regarding how things are supposed to be enforced."


To read about the cost of the TJX consumer data breach, click here.

Another problem concerns what are known as compensating controls. An example of a compensating control under SarbOx would be when a company argues against the need to monitor administrators of a financial database because any wrongdoing would be caught in an audit process on the back end that can validate a transaction. Everybody uses these compensating controls, Mogull said, but they constitute a "real gray area."

Mogull said he sees another glaring flaw in the PCI system: namely, the conflict of interest involved in maintaining a group of security assessors who also sell the technologies to remedy the vulnerabilities they find.

"Not only are [the ASV vendors] performing audits; theyre providing services to make [merchants] compliant," he said. "The SEC restricts that [in the financial industry]. You cant be an auditor of record and provide consulting services, for example. … Thats a huge conflict of interest."

The PCI Security Councils Russo defended the Councils use of technology vendors as assessors, saying theres "nothing in our rules that indicates if you got scanned by a company you should use them for remediation." The Council also has rules stipulating that a vendor suggest a class of products to address a vulnerability, rather than solely recommending its own product.

"There have been no incidents—at least not reported to the Council—that would make us go out and change the whole paradigm," Russo said.

Give credit where its due, at any rate: PCI is improving security, warts and all. "It is at least forcing companies to take another look at security," Mogull said. "I may complain about PCI but if they have to pass it to improve security its good for consumers. And shareholders, and business."

Specifically, Mogull said he has worked with customers that use point-of-sale terminals—the technology that tripped up TJ Maxx. He said PCI is slowly improving POS system use, as well as telephone transaction security and back-end systems, forcing improvements steadily through the credit card processing ecosystem.

"We see a lot of stores now that used to have POS terminals not protected in the stores, but big retailers are now encrypting that [data]," he said. "They never did that before. Some still arent. Ive seen some real messes out there. But you cant fix it all overnight, I guess. At least people are paying more attention than they used to."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.