After Target, Neiman Marcus breaches, does PCI compliance mean anything?
Security failures at companies certified as PCI compliant suggest problems in standards and implementation
Computerworld - The recent data breaches at Target and Neiman Marcus have once again shown that compliance with the Payment Card Industry Data Security Standard (PCI DSS) is no guarantee against an intrusion.
What's unclear is whether the problem lies in the standard itself, or the manner in which it is implemented and assessed.
In a letter to U.S. Sen. Richard Blumenthal (D-Conn.) explaining the recent breach that exposed 1.1 million payment cards, Neiman Marcus CIO Michael Kingston claimed the intrusion happened even though the company had security measures that exceeded PCI standards.
Target, which last month disclosed a data breach that exposed credit card data on 40 million people, is also believed to have been PCI compliant at the time of the intrusion.
Several other companies that have suffered major data compromises in recent years have also claimed they were compromised despite being certified as PCI compliant.
Security analysts and researchers have differing takes on what might be going on.
Visa, MasterCard, American Express and other major credit card associations established PCI several years ago to get companies to adopt a set of security controls for handling credit and debit card data. Over the years, the retail industry in particular, is believed to have spent billions of dollars implementing PCI requirements and billions more in mandatory third-party compliance assessments.
That companies like Target and Neiman Marcus were compromised in such spectacular fashion despite adhering to PCI has vexed many.
The breaches "highlight weaknesses in PCI and in the security industry," said Avivah Litan, an analyst with research firm Gartner. Nothing in the PCI standard, for instance, would have helped Target detect and block the intrusion before it happened, according to Litan.
"PCI does mandate checking for malware but none of the typical anti-malware products could find the Target malware, and PCI doesn't mandate next-generation anti-malware security that's starting to emerge," she said.
Some of the problems may have to do with the manner in which compliance is assessed, Litan said. Most assessments are done using previously known attack vectors and threats. Companies are not being assessed for their readiness in dealing with new threats. "That's why we need a new paradigm and stronger security inside the payment system," Litan said.
James Huguelet, an independent PCI consultant, said the biggest problem with the PCI standard is that it doesn't require companies to encrypt data in motion. While the standard has requirements for encrypting data at rest, there is no such requirement for data in action during the entire transaction processing chain.
- Hackers steal user data from the European Central Bank website, demand money
- Arrests made after international cyber-ring targets StubHub
- SQL injection flaw opens door for Wall Street Journal database hack
- Goodwill Industries probes possible payment card breach
- Aloha point-of-sale terminal, sold on eBay, yields security surprises
- The biggest data breaches of 2014 (so far)
- Blue Shield discloses 18,000 doctors' Social Security numbers
- PF Chang's says breach was 'highly sophisticated criminal operation'
- Breaches exposed 1 in 7 US debit cards in 2013
- New malware program targets banking data
- Big Data, Big Mess: Sound Risk Intelligence Through Complete Context This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- Top 3 Myths about Big Data Security : Debunking common misconceptions about big data security Big data represents massive business possibilities and competitive advantage for organizations that are able to harness and use that information. But how are...
- A More Predictable Way to Budget Software Costs Wavetronix enables creative collaboration while cost-effectively accessing all the latest tools with Adobe Creative Cloud for teams. For Wavetronix, collaboration was easy when...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope...
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface. All Data Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!