Oracle CSO trashes PCI rules
Three-year-old requirement to release vulnerability details when found is misguided and dangerous, Davidson says
Computerworld - In an unusual move, Oracle chief security officer Mary Ann Davidson has called on vendors of payment application software to join her company in opposing specific security vulnerability reporting requirements of the Payment Card Industry Security Standards Council.
In a lengthy, sharply-worded blog post late last month, Davidson lashed out at the PCI Council for allegedly not responding to Oracle's repeated requests that it reconsider its policy of requiring software vendors to share detailed vulnerability data even in circumstances where patches haven't been released.
"Established industry practice concerning vulnerability handling avoids the risks created by the [PCI Council's] vulnerability disclosure requirements," Davidson said.
By insisting that vendors divulge detailed vulnerability and exploit information as soon as a flaw is discovered, the PCI council puts vendors and customers at risk, Davidson contended.
"Make sure you tell your customers that you have to rat them out to PCI if there is a breach involving the payment application," she said.
The PCI Security Standards Council develops and administers a set of security standards that all entities handling credit and debit card data are expected to use.
The council was established in 2006 by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
About three years ago, the council released the Payment Application Data Security Standards (PA DSS), a set of baseline security-standards for payment application software.
The standard requires all developers of payment applications to implement specific security controls in their products and to submit to periodic PCI Council security assessments.
All retailers and other entities handling payment card data are required to use only Validated Payment Applications (VPA) when processing payment card data.
Davidson said she objects to the PA DSS requirement that software vendors submit detailed technical information and exploit details on any security flaws in their products to the PCI Council.
Vendors have been obligated to comply with the requirements since August 2010 so it's not clear why Davidson is raising the an issue now. It could be because the PCI Council is currently asking stakeholders for feedback on the development of the PA DSS standard release.
Davidson was not immediately available for comment on the blog post.
In her post, Davidson called the PCI Council's disclosure requirements "extraordinary and extraordinarily bad, short-sighted and unworkable. Specifically, PCI requires vendors to disclose (dare we say 'tell all?') to PCI any known security vulnerabilities and associated security breaches involving [Validated Payment Applications] ASAP."
The Council could "blab" about the vulnerability details to third-party security assessors, or to any affiliate or agent of those entities as well their employees, contractors, merchants, processors, service providers and others, Davidson contended. "This assorted crew can't be more than, oh, hundreds of thousands of entities. Does anybody believe that several hundred thousand people can keep a secret?" Davidson noted in her blog.
- Mission Critical: Managing Mobile Applications & Content Smartphones, tablets and other mobile devices have become embedded in enterprise processes, thanks to the consumerization of IT and a new generation of...
- Securing Mobility, From Device to Network At one time, the process of managing and securing mobile devices and applications was fairly straightforward. Most organizations worried about one application (email)...
- Planning for Mobile Success Many organizations are seeing clear and quantifiable benefits from the deployment of mobile technologies that provide access to data and applications any time,...
- The Challenges and Opportunities of Mobile Application Development Nearly all business users now demand mobile devices--their own or company-owned--along with anywhere access to corporate applications and data. What turns mobile devices...
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- On Demand: Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed, and it continues to escalate. IT must answer to users who demand access to their... All Retail White Papers | Webcasts