Oracle CSO trashes PCI rules
Three-year-old requirement to release vulnerability details when found is misguided and dangerous, Davidson says
Computerworld - In an unusual move, Oracle chief security officer Mary Ann Davidson has called on vendors of payment application software to join her company in opposing specific security vulnerability reporting requirements of the Payment Card Industry Security Standards Council.
In a lengthy, sharply-worded blog post late last month, Davidson lashed out at the PCI Council for allegedly not responding to Oracle's repeated requests that it reconsider its policy of requiring software vendors to share detailed vulnerability data even in circumstances where patches haven't been released.
"Established industry practice concerning vulnerability handling avoids the risks created by the [PCI Council's] vulnerability disclosure requirements," Davidson said.
By insisting that vendors divulge detailed vulnerability and exploit information as soon as a flaw is discovered, the PCI council puts vendors and customers at risk, Davidson contended.
"Make sure you tell your customers that you have to rat them out to PCI if there is a breach involving the payment application," she said.
The PCI Security Standards Council develops and administers a set of security standards that all entities handling credit and debit card data are expected to use.
The council was established in 2006 by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
About three years ago, the council released the Payment Application Data Security Standards (PA DSS), a set of baseline security-standards for payment application software.
The standard requires all developers of payment applications to implement specific security controls in their products and to submit to periodic PCI Council security assessments.
All retailers and other entities handling payment card data are required to use only Validated Payment Applications (VPA) when processing payment card data.
Davidson said she objects to the PA DSS requirement that software vendors submit detailed technical information and exploit details on any security flaws in their products to the PCI Council.
Vendors have been obligated to comply with the requirements since August 2010 so it's not clear why Davidson is raising the an issue now. It could be because the PCI Council is currently asking stakeholders for feedback on the development of the PA DSS standard release.
Davidson was not immediately available for comment on the blog post.
In her post, Davidson called the PCI Council's disclosure requirements "extraordinary and extraordinarily bad, short-sighted and unworkable. Specifically, PCI requires vendors to disclose (dare we say 'tell all?') to PCI any known security vulnerabilities and associated security breaches involving [Validated Payment Applications] ASAP."
The Council could "blab" about the vulnerability details to third-party security assessors, or to any affiliate or agent of those entities as well their employees, contractors, merchants, processors, service providers and others, Davidson contended. "This assorted crew can't be more than, oh, hundreds of thousands of entities. Does anybody believe that several hundred thousand people can keep a secret?" Davidson noted in her blog.
- SIP Migration: Addressing CIOs' Concerns Recent data from IDG Research shows that many IT executives are counting on SIP to help them meet employee efficiency and customer experience...
- SBIC: Transforming Information Security This report combines perspectives on technologies with experience in strategy to help security teams navigate complex decisions regarding technology deployments while maximizing investments.
- InfoTech: Cloud File Sharing Organizations are increasingly turning to cloud file sharing solutions to meet end-user's needs for a lightweight and effective collaboration tool. In this report,...
- Rethinking Backup and Recovery As enterprises continue to transform their data centers, and virtualization plays an increasing role in their IT infrastructures, the way data is backed...
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed in recent years, and it continues to escalate. All Retail White Papers | Webcasts
Computerworld has launched its annual search for outstanding IT leaders who align technology with business goals. Nominate a top IT executive for the 2015 Premier 100 IT Leaders awards now through July 18.