WebApp Sec mailing list archives
MasterCard backs off Security, Leave Cardholders at Risk
From: <auto471292 () hushmail com>
Date: Tue, 06 Jun 2006 08:44:46 -0700
In July 2005, VISA and MasterCard began aggressively promoting the importance of web application security through the Payment Card Industry (PCI) Data Security Standard. To protect consumers, VISA/MasterCard updated the PCI standard to include web application security by 2006. However, in March 2006 something very troubling occurred-- MasterCard gutted the web application security portion of the standard, leaving millions of consumers vulnerable every time they shop, bank or otherwise expose personal data online. Visa and MasterCard require credit card merchants to implement PCI security best practices in order to safeguard cardholder information--the type of information which, if compromised, leads to fraud and identity theft. Merchants who fail to comply with PCI can face fines or exclusion from processing credit cards. Everyone, including the credit card brands, agrees that Web application security is a critical component of good overall security since most websites have serious security issues. So why would they backpedal on their web application security requirements now, when web application attacks are on the rise? (1) (2) In late 2005 MasterCard began (re)-certifying Scanning Vendors who verify that online merchants who accept credit cards are PCI compliant. Scanning Vendors who could demonstrate that they were able to find web application vulnerabilities in accordance with the OWASP Top Ten (3) (a minimum standard for web application security) passed the test and were recertified. Interestingly, many of the previously certified network scanning vendors simply couldn't pass the web application security portion. This is because the technology necessary to proficiently scan web applications for vulnerabilities is vastly different from the capabilities of the large and entrenched network scanning vendors. In response, MasterCard reduced the PCI standard so that the old guard could pass, stating in turn that it was the web application scanning tools that have inconsistent results. Now only two of the ten recommended issues of the original "minimum standard" need to be tested for. (4) In addition, many of the merchants claimed that the process of web application testing was too intrusive for them. Experts in the field know that many times a scanner is no more intrusive than a regular user. They also balked at the additional expense required for web application testing. What about the expense and inconvenience that befalls a consumer whose identity is stolen? There must be some accountability for these online merchants and the credit card companies have to step up and stand behind the standards they impose. Many in the industry feel that MasterCard caved to the pressure of the large security companies who did not or could not improve their security offerings to keep up with the latest web application security consumer threats and the influence of powerful online merchants. You would think MasterCard would want to ensure that cardholder data is protected by the highest of security standards. The real loser here is the consumer who remains at risk on just about every website that asks for their credit card number. (1) A recent Symantec Internet Security Threat Report stated, "Of the vulnerabilities disclosed between July and December 2005, 69% were associated with Web applications.". (2) Web App Hack Incidents Are Up As Businesses Take Cover http://www.informationweek.com/industries/showArticle.jhtml?articleI D=185300842 (3) The OWASP Top Ten provides a minimum standard for web application security. http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project (4) Changes to PCI Standard Testing Requirements http://www.securityfocus.com/archive/139/428796/30/0/threaded Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF --------------------------------------------------------------------------
Current thread:
- MasterCard backs off Security, Leave Cardholders at Risk auto471292 (Jun 07)
- <Possible follow-ups>
- Re: MasterCard backs off Security, Leave Cardholders at Risk fscwi (Jun 07)
- RE: MasterCard backs off Security, Leave Cardholders at Risk Evans, Arian (Jun 08)
- RE: MasterCard backs off Security, Leave Cardholders at Risk Craig Wright (Jun 08)
- RE: MasterCard backs off Security, Leave Cardholders at Risk Evans, Arian (Jun 08)
- RE: MasterCard backs off Security, Leave Cardholders at Risk Craig Wright (Jun 08)
- RE: MasterCard backs off Security, Leave Cardholders at Risk David P. Durko (Jun 09)
- RE: MasterCard backs off Security, Leave Cardholders at Risk Craig Wright (Jun 09)
- Re: RE: MasterCard backs off Security, Leave Cardholders at Risk erez (Jun 15)