just saw a post from a month ago by Jeremiah Grossman from White Hat Security on his blog PCI-DSS references the outdated OWASP Top Ten
There are actually a number of more serious technical issues with PCI DSS 1.1 than using the OWASP Top 10 from 4 years ago. Note the definition of vulnerability management in Section 5 as “Use and regularly update anti-virus software or programs”. Note “Requirement 1: Install and maintain a firewall configuration to protect cardholder data.” A firewall cannot protect cardholder data by definition, since a) a firewall typically filters inbound traffic at the network layer and b) firewalls are incapable of identifying payment card data going out. This is why companies like Fidelis Security Systems and Vontu (acquired by Symantec) developed data leakage prevention products (which by the way are not even mentioned as a possible security countermeasure in PCI DSS 1.1).
The experience of the past 2 years has shown that PCI DSS 1.1 does not improve payment card security judging by the number of data breach events with large PCI-compliant merchants like Hannaford. I believe that this situation stems from conceptual flaws in PCI DSS 1.1:
- PCI DSS 1.1 was designed by the card associations and big processors to meet their needs – which means that it will probably never meet the current needs of over 4 million merchants in the US and over 8 million world wide.
- The information security industry has not exactly bought into PCI DSS 1.1. As both the thread on Jeremiah Grossman’s blog and general industry discussion show – there is a still a good deal of argument on the standard itself.
- PCI DSS 1.1 is a one-size-fits-all compliance standard that makes all requirements mandatory without encouraging the merchant, vendors, service providers and consultants to analyze the merchant’s risk profile and find the right countermeasures at the right price. I cannot accept that a merchant smart enough to run a business in a down economy cannot think in terms of assets, threats, vulnerabilities and cost-effective countermeasures.
- A QSA has limited application and is far from a panacea for technical flaws in the standard. Note that the role of the QSA is only relevant for Level 1 merchants – and there are only about 1200 of those in the US and about 2500 world-wide. Everyone else does self-assessment and would benefit from a standard that encourages them to think about threats and security. The PCI Association works to monetize it’s franchise with expensive qualification programs. I believe in free markets, but there is mega-scale franchise building in the security and accounting industry with Sarbanes Oxley and I am not optimistic that franchise building by the PCI Association contributes to improving the security of payment cards.
If it were up to me – I would make PCI DSS 1.1 an Open Source initiative like OWASP – I would give risk assessment software away for free to merchants and create a community of vendors, merchants, attackers and consultants who could share their expertise and create a more secure and more cost-effective economy for credit card processing. I would require disclosure of loss events and publicize a pricing guide for the security countermeasures.