: Merchants Racing to the Bottom for PCI Certs”> Security experts are starting to grumble about the Payment Card Industry Data Security Standard, saying that some merchants just want to get PCI-certified as cheaply and easily as possible—and that the PCI certification system is set up to help them do just that.
“The entire system seems to be set up not to find vulnerabilities,” Jeremiah Grossman, chief technology officer and founder of WhiteHat Security, based in Santa Clara, Calif., and one of 135 security firms on the PCI Security Councils list of ASVs (Approved Scanning Vendors), said in an interview with eWEEK.
“Weve had customers that wanted to debate the severity of certain issues because they needed to pass PCI. We sent them to another vendor we thought would pass them more easily. The last thing I want is a customer to get hacked on a vulnerability I didnt find.”
Grossman recently posed the question of whether a company informed of a SQL or XSS (cross-site scripting) vulnerability in its Web site, either privately or via public disclosure, would be legally obligated to fix the issue, and whether such a companys compliance status with PCI-DSS (or the Sarbanes-Oxley Act or Health Insurance Portability and Accountability Act, for that matter) would be jeopardized if it neglected to fix a vulnerability that could lead to the disclosure of private data.
Click here to read more about why merchants are dealing with the same weaknesses causing PCI failures.
In brief, the answer is no—an organization faces no legal responsibility to fix a vulnerability. Existing laws stipulate the requirement that people be informed when data is breached. But there is nothing forcing a company to fix something before it leads to data being compromised.
The reason Grossman wanted to know the answer to that question, he told eWEEK, is that too often in client engagements, a companys IT staff will ask him for leverage so they can pressure an organization to fix its security holes—something that upper management all too often doesnt want to do.
“I work with security guys as customers,” he said. “Theyre all for fixing [vulnerabilities]. But there isnt any legal [compulsion to do so]. For the most part, [merchants] are looking for the cheapest, lowest-quality provider. There [are] no repercussions” for a security assessor who looks the other way from vulnerabilities a more careful assessor would catch, he said.
“In the case of PCI-DSS, it seems to me merchants are compelled to pass their quarterly scans using whatever shoddy ASV they can find who is most likely to find the least,” Grossman said in an Oct. 9 posting. “This is perpetuated because as far as we can tell, there are no penalties for ASVs that weve seen and theyre incentivized to find less because thats what the merchant desires. Great.”
Others agree. “From my perspective, many [merchants] have a lot to lose if they are not secure and really strive to be secure,” wrote a respondent to Grossmans post with the moniker of Adrian. “But, yeah, half just want a passing grade at the lowest possible cost.”
The problem, Grossman said, is there are no repercussions if an ASV passes a retailer and slaps a PCI certificate on the merchant only to have that same merchant wind up experiencing a security breach. “If the company gets breached that happened to be PCI-compliant, is there any investigation into the security assessor [that passed the company for certification]? Anybody can miss a vulnerability. But what if its a pattern?”
The PCI Security Standards Council, a group formed in 2006 by the five major credit card companies, maintains the list of assessors and is in charge of training, assessing and vetting all of its 105 QSAs (Qualified Security Assessors) and 135 ASVs.
Bob Russo, general manager of the council, based in Wakefield, Mass., said hes not aware of any breaches in the past four or five years in which the merchant that suffered the breach had been PCI-compliant.
As it is, he told eWEEK in an interview, security assessors go through an “arduous” test of their scanning tools to make sure those tools can catch the hundreds of constantly shifting vulnerabilities that crop up, that the tools describe vulnerabilities in sufficient detail and that they provide clear instructions on how to correct a given vulnerability.
Were a PCI-compliant merchant to lose data in a security breach, the PCI Security Council wouldnt get involved—then, the situation would be in the hands of a given credit card brand, Russo said. “We dont get involved in forensics,” he said, explaining that the Council therefore has no means nor any intention of investigating security assessors that might PCI-certify a merchant whose security posture doesnt rate.
Read more here about why merchants are struggling to achieve PCI certification.
Some security experts arent mollified, and they point to the enormous CardSystems breach of 2004 as an example of why there needs to be a backup plan if assessors rubber-stamp merchants.
“Look at the history of PCI. Look at the PCI-certified organizations weve seen suffer breaches,” said Rich Mogull, an independent security consultant, founder of Securosis and former Gartner analyst.
CardSystems, a credit card processing company, had its computer system penetrated by data thieves sometime before June 2005, exposing data belonging to 40 million cardholders. At the time, MasterCard claimed that CardSystems had never demonstrated compliance with the companys standards.
CardSystems told a different story, though, informing the New York Times that it had been audited in December 2003 by an unspecified independent assessor and that it had received a seal of approval from the Visa payment association in June 2004.
However, those audits were more than a year before the breach itself, said a spokesperson for the PCI Security Council. “The DSS specifically prohibits the storing of magnetic stripe data [a security blunder to which CardSystems admitted]. If a company is storing this data, they are not compliant with the DSS. No organization who has been compliant with the DSS has ever suffered a breach,” he said. “You cant expose data that isnt there… had they not been storing this data, they would not have been at risk.”
At any rate, the way Mogull sees it, PCI was never about protecting consumers or improving security to begin with. “The way the program is designed, it pushes all liability for card security onto retailers and transaction processors,” he told eWEEK in an interview.
Indeed, Mogull said, there are things the credit card companies could do to improve the security of online transactions—things that are outside of retailers control. The credit card companies arent implementing them, however, because theyre too expensive, he said.
Examples include SET (Secure Electronic Transaction), a protocol for securing online credit card payment developed by Visa and MasterCard that enables merchants to swap a certificate for a users actual credit card number, allowing funds to be credited from a consumers credit card without the need of the merchant to deal with the credit card number itself.
Alternatively, credit card companies could require a PIN number with card transactions, Mogull said, or they could transition away from cards with magnetic stripes to smart cards, as is happening in Europe.
Mogull said he sees a number of problems in addition to credit card companies ignoring the potentially more secure technology that doesnt fit under PCI.
For one, he agrees with Grossman about the pressures on ASV vendors. “Theres competition to get business,” he said. “To do that, companies flat-out say, You have to offer a competitive price, and if youre too tough well go to somebody who will pass us.”
Another problem with PCI is the lack of clarity in the standard, he said.
One example is encryption. The PCI standard dictates that credit card numbers be encrypted, truncated, obfuscated or not kept at all. But if a merchant chooses encryption, what does that mean, exactly? Database-level encryption? Field-level encryption within a database? Encryption on database files?
“One provides more [security] than the other, but the standard doesnt differentiate,” Mogull said. “There were times where we literally couldnt get answers out of Visa regarding how things are supposed to be enforced.”
To read about the cost of the TJX consumer data breach, click here.
Another problem concerns what are known as compensating controls. An example of a compensating control under SarbOx would be when a company argues against the need to monitor administrators of a financial database because any wrongdoing would be caught in an audit process on the back end that can validate a transaction. Everybody uses these compensating controls, Mogull said, but they constitute a “real gray area.”
Mogull said he sees another glaring flaw in the PCI system: namely, the conflict of interest involved in maintaining a group of security assessors who also sell the technologies to remedy the vulnerabilities they find.
“Not only are [the ASV vendors] performing audits; theyre providing services to make [merchants] compliant,” he said. “The SEC restricts that [in the financial industry]. You cant be an auditor of record and provide consulting services, for example. … Thats a huge conflict of interest.”
The PCI Security Councils Russo defended the Councils use of technology vendors as assessors, saying theres “nothing in our rules that indicates if you got scanned by a company you should use them for remediation.” The Council also has rules stipulating that a vendor suggest a class of products to address a vulnerability, rather than solely recommending its own product.
“There have been no incidents—at least not reported to the Council—that would make us go out and change the whole paradigm,” Russo said.
Give credit where its due, at any rate: PCI is improving security, warts and all. “It is at least forcing companies to take another look at security,” Mogull said. “I may complain about PCI but if they have to pass it to improve security its good for consumers. And shareholders, and business.”
Specifically, Mogull said he has worked with customers that use point-of-sale terminals—the technology that tripped up TJ Maxx. He said PCI is slowly improving POS system use, as well as telephone transaction security and back-end systems, forcing improvements steadily through the credit card processing ecosystem.
“We see a lot of stores now that used to have POS terminals not protected in the stores, but big retailers are now encrypting that [data],” he said. “They never did that before. Some still arent. Ive seen some real messes out there. But you cant fix it all overnight, I guess. At least people are paying more attention than they used to.”
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.