Oracle CSO trashes PCI rules

Three-year-old requirement to release vulnerability details when found is misguided and dangerous, Davidson says

In an unusual move, Oracle chief security officer Mary Ann Davidson has called on vendors of payment application software to join her company in opposing specific security vulnerability reporting requirements of the Payment Card Industry Security Standards Council.

In a lengthy, sharply-worded blog post late last month, Davidson lashed out at the PCI Council for allegedly not responding to Oracle's repeated requests that it reconsider its policy of requiring software vendors to share detailed vulnerability data even in circumstances where patches haven't been released.

"Established industry practice concerning vulnerability handling avoids the risks created by the [PCI Council's] vulnerability disclosure requirements," Davidson said.

By insisting that vendors divulge detailed vulnerability and exploit information as soon as a flaw is discovered, the PCI council puts vendors and customers at risk, Davidson contended.

"Make sure you tell your customers that you have to rat them out to PCI if there is a breach involving the payment application," she said.

The PCI Security Standards Council develops and administers a set of security standards that all entities handling credit and debit card data are expected to use.

The council was established in 2006 by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

About three years ago, the council released the Payment Application Data Security Standards (PA DSS), a set of baseline security-standards for payment application software.

The standard requires all developers of payment applications to implement specific security controls in their products and to submit to periodic PCI Council security assessments.

All retailers and other entities handling payment card data are required to use only Validated Payment Applications (VPA) when processing payment card data.

Davidson said she objects to the PA DSS requirement that software vendors submit detailed technical information and exploit details on any security flaws in their products to the PCI Council.

Vendors have been obligated to comply with the requirements since August 2010 so it's not clear why Davidson is raising the an issue now. It could be because the PCI Council is currently asking stakeholders for feedback on the development of the PA DSS standard release.

Davidson was not immediately available for comment on the blog post.

In her post, Davidson called the PCI Council's disclosure requirements "extraordinary and extraordinarily bad, short-sighted and unworkable. Specifically, PCI requires vendors to disclose (dare we say 'tell all?') to PCI any known security vulnerabilities and associated security breaches involving [Validated Payment Applications] ASAP."

The Council could "blab" about the vulnerability details to third-party security assessors, or to any affiliate or agent of those entities as well their employees, contractors, merchants, processors, service providers and others, Davidson contended. "This assorted crew can't be more than, oh, hundreds of thousands of entities. Does anybody believe that several hundred thousand people can keep a secret?" Davidson noted in her blog.

Asking vendors to disclose security vulnerabilities before a patch is developed is pointless, Davidson said.

The only ones in a position to issue a patch or workaround for a software flaw, is the developer of the software. So disclosing details of the flaw to third parties ahead of a patch will do little to enhance security, and in fact is a very dangerous practice, she maintained.

"We already know that insider information about security vulnerabilities inevitably leaks, which is why most vendors closely hold such information and limit dissemination until a patch is available," she said. "That's the industry norm, not that PCI seems to realize or acknowledge that."

An emailed statement from the PCI Council did not address Davidson's comments.

Instead, it noted that the Council requires vendors to disclose vulnerability details so that it can act "swiftly and appropriately" when flaws are detected.

"To clarify, there have been no changes to the Council's policy since the PA-DSS program was launched more than three years ago," the statement noted.

Avivah Litan, an analyst with Gartner said that Davidson's frustration with the requirement is understandable. "A lot of companies are getting annoyed at the whole process," she said.

Most software vendors already have mature processes in place for handling vulnerability disclosures, she said. "So to have an external body tell them what to do is plain annoying," she said.

Data breaches such as the one at payment processing firm Global Payments, which was previously certified as being fully PCI complaint, have also undermined confidence in PCI, Litan said.

Many see such breaches as a sign that compliance with PCI alone doesn't mean much, she said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is

Copyright © 2012 IDG Communications, Inc.

Shop Tech Products at Amazon