PCI Security Standards Are Not Good Enough
By David Dorf-Oracle on Jan 28, 2009
I logged into my bank account this evening and saw a message about reissuing certain cards that may have been breached. It turns out that Heartland Payment Systems, a payment processor, discovered a sniffer hidden in an unallocated disk partition. That's a pretty sneaky place to hide such malware, and if it wasn't for some extraneous temp files, it would not have been found. Evan Schuman has been tracking in his blog, so I won't repeat the information here.
Breaches have been a pretty common occurrence, but the alarming trend is that its occuring even to those merchants and processors that are deemed PCI compliant, as was the case with Heartland. I don't think PCI compliance is worthless, because it certainly does thwart most of the amature attacks. But in order to be truly secure, we must employ end-to-end encryption that ensures safe delivery of information from the point of purchase across the entire payment network. However, Visa and MasterCard have refused to do this, presumably because of the increased CPU power required (encryption and decryption require complex math that is very computationally expensive).
Does anyone else think that forcing compliance solely on merchants and processors is not only unfair, but also insecure?
PS- This is my first posting using IE8 running on Windows 7 beta. So far, so good.