Oracle CSO trashes PCI rules
Three-year-old requirement to release vulnerability details when found is misguided and dangerous, Davidson says
Computerworld - In an unusual move, Oracle chief security officer Mary Ann Davidson has called on vendors of payment application software to join her company in opposing specific security vulnerability reporting requirements of the Payment Card Industry Security Standards Council.
In a lengthy, sharply-worded blog post late last month, Davidson lashed out at the PCI Council for allegedly not responding to Oracle's repeated requests that it reconsider its policy of requiring software vendors to share detailed vulnerability data even in circumstances where patches haven't been released.
"Established industry practice concerning vulnerability handling avoids the risks created by the [PCI Council's] vulnerability disclosure requirements," Davidson said.
By insisting that vendors divulge detailed vulnerability and exploit information as soon as a flaw is discovered, the PCI council puts vendors and customers at risk, Davidson contended.
"Make sure you tell your customers that you have to rat them out to PCI if there is a breach involving the payment application," she said.
The PCI Security Standards Council develops and administers a set of security standards that all entities handling credit and debit card data are expected to use.
The council was established in 2006 by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
About three years ago, the council released the Payment Application Data Security Standards (PA DSS), a set of baseline security-standards for payment application software.
The standard requires all developers of payment applications to implement specific security controls in their products and to submit to periodic PCI Council security assessments.
All retailers and other entities handling payment card data are required to use only Validated Payment Applications (VPA) when processing payment card data.
Davidson said she objects to the PA DSS requirement that software vendors submit detailed technical information and exploit details on any security flaws in their products to the PCI Council.
Vendors have been obligated to comply with the requirements since August 2010 so it's not clear why Davidson is raising the an issue now. It could be because the PCI Council is currently asking stakeholders for feedback on the development of the PA DSS standard release.
Davidson was not immediately available for comment on the blog post.
In her post, Davidson called the PCI Council's disclosure requirements "extraordinary and extraordinarily bad, short-sighted and unworkable. Specifically, PCI requires vendors to disclose (dare we say 'tell all?') to PCI any known security vulnerabilities and associated security breaches involving [Validated Payment Applications] ASAP."
The Council could "blab" about the vulnerability details to third-party security assessors, or to any affiliate or agent of those entities as well their employees, contractors, merchants, processors, service providers and others, Davidson contended. "This assorted crew can't be more than, oh, hundreds of thousands of entities. Does anybody believe that several hundred thousand people can keep a secret?" Davidson noted in her blog.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Accelerating Network Convergence in Virtualized and Cloud Data Centers Adopting a converged networking strategy enables organizations to traffic server and storage I/O workloads on consolidated data throughput channels. Intelligent software helps optimize...
- Omnichannel: From Buzzword to Strategy Customers demand a seamless experience across channels, especially mobile. Read this whitepaper for a research-based framework for using omnichannel for higher customer engagement.
- How 10GbE Network is the Backbone of the Virtual Data Center The shift to a virtual data center has put tremendous strain on legacy networks; driving the need for more speed, lower latency, more...
- 10GbE in the Data Center Improvements in 10GbE technology, lower pricing, and improved performance make 10GbE for the mid-market a viable and cost-effective strategy. This white paper discusses...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Retail White Papers | Webcasts