After Target, Neiman Marcus breaches, does PCI compliance mean anything?
Security failures at companies certified as PCI compliant suggest problems in standards and implementation
Computerworld - The recent data breaches at Target and Neiman Marcus have once again shown that compliance with the Payment Card Industry Data Security Standard (PCI DSS) is no guarantee against an intrusion.
What's unclear is whether the problem lies in the standard itself, or the manner in which it is implemented and assessed.
In a letter to U.S. Sen. Richard Blumenthal (D-Conn.) explaining the recent breach that exposed 1.1 million payment cards, Neiman Marcus CIO Michael Kingston claimed the intrusion happened even though the company had security measures that exceeded PCI standards.
Target, which last month disclosed a data breach that exposed credit card data on 40 million people, is also believed to have been PCI compliant at the time of the intrusion.
Several other companies that have suffered major data compromises in recent years have also claimed they were compromised despite being certified as PCI compliant.
Security analysts and researchers have differing takes on what might be going on.
Visa, MasterCard, American Express and other major credit card associations established PCI several years ago to get companies to adopt a set of security controls for handling credit and debit card data. Over the years, the retail industry in particular, is believed to have spent billions of dollars implementing PCI requirements and billions more in mandatory third-party compliance assessments.
That companies like Target and Neiman Marcus were compromised in such spectacular fashion despite adhering to PCI has vexed many.
The breaches "highlight weaknesses in PCI and in the security industry," said Avivah Litan, an analyst with research firm Gartner. Nothing in the PCI standard, for instance, would have helped Target detect and block the intrusion before it happened, according to Litan.
"PCI does mandate checking for malware but none of the typical anti-malware products could find the Target malware, and PCI doesn't mandate next-generation anti-malware security that's starting to emerge," she said.
Some of the problems may have to do with the manner in which compliance is assessed, Litan said. Most assessments are done using previously known attack vectors and threats. Companies are not being assessed for their readiness in dealing with new threats. "That's why we need a new paradigm and stronger security inside the payment system," Litan said.
James Huguelet, an independent PCI consultant, said the biggest problem with the PCI standard is that it doesn't require companies to encrypt data in motion. While the standard has requirements for encrypting data at rest, there is no such requirement for data in action during the entire transaction processing chain.
- Hackers steal user data from the European Central Bank website, demand money
- Arrests made after international cyber-ring targets StubHub
- SQL injection flaw opens door for Wall Street Journal database hack
- Goodwill Industries probes possible payment card breach
- Aloha point-of-sale terminal, sold on eBay, yields security surprises
- The biggest data breaches of 2014 (so far)
- Blue Shield discloses 18,000 doctors' Social Security numbers
- PF Chang's says breach was 'highly sophisticated criminal operation'
- Breaches exposed 1 in 7 US debit cards in 2013
- New malware program targets banking data
- Agile Masking Transforms Data Security Most data masking products can create masked data copies but not distribute or update them, resulting in projects that fail to live up...
- Step Out of the Bull's-Eye Learn about the evolution of targeted attacks, the latest in security intelligence, and strategic steps to keep your business safe.
- Do More With Less: How CARFAX Consolidated Their Security Solutions Through a consolidated F5 solution, CARFAX cut site downtime to zero, secures its data, and deployed a high-performance infrastructure to support its rapid...
- F5 Data Center Firewall Aces Performance Test F5's BIG-IP 10200v with Advanced Firewall Manager (AFM) can handle traffic at 80-Gbps rates while screening and protecting tens of millions of connections...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Data Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!