WebApp Sec mailing list archives
RE: PCI DSS Compliance
From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Fri, 30 Dec 2005 10:03:12 +1100
I don't think many people think PCI is perfection (apart from marketing, perhaps:-) It seems to be reasonable, affordable mix of requirements that strives to be technology neutral. PCI already has about 4 layers of compliance needs, depending upon the annual volume of cards processed. These range from 'be careful' (very small volumes) to self assessment through to on-site accredited audits and vuln-scanning ( >6million cards pa). Technology and architeecture nuerality is a critical constraint in my view its easier to write a specific document for a single software architecture and product/tech mix. There is a very broad variety o ecomm archictures and techo/product mixes ot there - one client I work with (150 people and quite profitable) has an issue that a single PCI compliance aspect will cost around 5% of annual revenue (not profit) plus 12-20 person months to fix in 1 for just of their 3 payment processing 'streams' due to legacy impacts from decisions made years ago. In this single casse, a lack of well developed and robust products APIs etc in the market, plus architecture choices made before PCI/CISP et all were dreamt of continue to impact, meaning ustom APIs and code redevelopment or platfrom replacement is needed. So I stand by the view that PCI al-la '2005-style' is a good start, but we will continually need to get better security, at the level and pace that the business can afford. Since security people are generally bad at getting money to spend (or spend wisely in many cases), an industry wide driver approach is, in my view a good thing to get corporate commmittment. Will PCI fix all card security today - no; the majority of the reported compromises of card details over the past 18 months stem from failures of technology or process at card scheme members (i.e banks) who are not required to comply with PCI/AIS/CISP/SDP. The PCI of, say 2010, won't be the PCI of today - but I bet this current debate could happen then much as it is happening now - security is never perfect, just good enough for the risks the business is prepared to spend on! Lyal -----Original Message----- From: Pete Herzog [mailto:lists () isecom org] Sent: Thursday, 29 December 2005 9:26 PM To: Lyal Collins Cc: 'Craig Wright'; webappsec () securityfocus com Subject: Re: PCI DSS Compliance Lyal, all, Sorry for the delay-- I had vacation. Lyal Collins wrote:
I don't think it's a question of the PCI document being right or wrong, but of compliance to a set of domumented requirements in order to either stay in business or minimise financial impact on a company if a security breach involving credit cards occurs.
This is indeed a problem where compliance is seen as protection. The two are very often not the same. Why accept the PCI document as one that minimizes financial impact, privacy breaches, etc. if the premise only scratches the surface of the definition of protection? We cannot simply accept that products, blacklists, and the products that love them are to be regulations. Compliance should be simply the do's and don'ts of protection and loss controls with metrics to assure compliance. Remember that best practices are not best for all. The protection requirements should be documented but not the process of achieving them.
PCI requires, among 190+ other things, vuln scanning of all internet facing systems, and those internal systems that process cardholder data, not the entire internal network. PCI also requires an annual pen-test, to attempt to exploit scanning-discovered vulnerabilities. Of course you may choose to scan the rest of the entire network as part of enterprise security management.
Pen tests are another thing that are also poor security tests. Requiring a pen test is barely better than requiring a vulnerability scan of systems that hold cardholder data. But maybe I don't understand what you mean by pen test. To me it's a test for exploiting weaknesses in a network to raise privileges and meet a pre-assigned goal (such as card member data). In that case a pen test is big mistake. A black box pen test can only ever be favorable to the client as opposed to one where the tester has more information about the network, the systems, the processes, and the alert/alarm profile. The latter is more beneficial to the card holders and the card issuers because it would mean something about testing protection and loss controls and not just the tester's skills. Sure PCI is about compliance but takes the wrong approach to be about protection and loss controls. For example, just asking for a third-party every year is such a huge generalization because if you consider the speed of progress, then shouldn't sites with more interactions, a greater scope, need more frequent audits than smaller ones? If this was based on a metric, you could assure audits were done whenever the metric reached an unsavory number. I know this document came out to improve things but it's still far from that goal. Sincerely, -pete.
Current thread:
- RE: PCI DSS Compliance, (continued)
- RE: PCI DSS Compliance Lyal Collins (Dec 16)
- RE: PCI DSS Compliance Craig Wright (Dec 16)
- RE: PCI DSS Compliance Steven Jones (Dec 16)
- Re: PCI DSS Compliance null0 (Dec 18)
- RE: PCI DSS Compliance Craig Wright (Dec 18)
- Re: PCI DSS Compliance Pete Herzog (Dec 18)
- RE: PCI DSS Compliance Craig Wright (Dec 19)
- Re: PCI DSS Compliance Pete Herzog (Dec 20)
- RE: PCI DSS Compliance Lyal Collins (Dec 20)
- Re: PCI DSS Compliance Pete Herzog (Dec 29)
- RE: PCI DSS Compliance Lyal Collins (Dec 29)
- Re: PCI DSS Compliance Pete Herzog (Dec 20)
- Re: PCI DSS Compliance Roberto Tanara (Dec 21)
- RE: PCI DSS Compliance Lyal Collins (Dec 21)
- Re: PCI DSS Compliance Roberto Tanara (Dec 22)