PCI Security Standards Are Not Good Enough

I logged into my bank account this evening and saw a message about reissuing certain cards that may have been breached. It turns out that Heartland Payment Systems, a payment processor, discovered a sniffer hidden in an unallocated disk partition. That's a pretty sneaky place to hide such malware, and if it wasn't for some extraneous temp files, it would not have been found. Evan Schuman has been tracking in his blog, so I won't repeat the information here.

Secure%20Network.pngBreaches have been a pretty common occurrence, but the alarming trend is that its occuring even to those merchants and processors that are deemed PCI compliant, as was the case with Heartland. I don't think PCI compliance is worthless, because it certainly does thwart most of the amature attacks. But in order to be truly secure, we must employ end-to-end encryption that ensures safe delivery of information from the point of purchase across the entire payment network. However, Visa and MasterCard have refused to do this, presumably because of the increased CPU power required (encryption and decryption require complex math that is very computationally expensive).

Does anyone else think that forcing compliance solely on merchants and processors is not only unfair, but also insecure?

PS- This is my first posting using IE8 running on Windows 7 beta. So far, so good.

Comments:

PCI compliance was never going to be enough. I think Visa just felt it had to do something to get retailers to implement the basics of security across their broad networks.

However, you cannot have a single standard against a moving target - "the bad guys" will always get smarter. You could argue that just as the open source community has created a pretty stable OS in Linux, the "open bad guy" community can create some pretty clever malware.

Is it unfair to require end-to-end encryption? No. Is it a reasonable expectation that this will "do the trick"? Nope. Sadly, battling malware will take effort, money and vigilance across the whole ecosystem.

Our research shows us that a not-insubstantial number of retailers have foregone wireless in-store networks - most likely to avoid risk of breaches....that's not the right answer either. It's a question of vigilance.

Posted by Paula Rosenblum on January 30, 2009 at 12:14 AM CST #

Post a Comment:
  • HTML Syntax: NOT allowed
About


David Dorf, Sr Director Technology Strategy for Oracle Retail, shares news and ideas about the retail industry with a focus on innovation and emerging technologies.


Industry Connect


Stay Connected
Blogroll

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
8
9
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today