http://www.theregister.co.uk/2007/09/27/pci_dss_compliance/ By John Leyden 27th September 2007 Efforts by the credit card industry to boost merchant security are likely to flounder unless tighter regulations are accompanied by punishments against transgressors. The Payment Card Industry Data Security Standard (PCI DSS) methodology aims to improve the security of cardholder data among banks, service providers and the merchant community. The standard is more prescriptive and detailed than earlier regulatory regimes (such as Sarbannes-Oxley) but still leaves plenty of room for interpretation. Merchants and service providers need to validate compliance against an audit by a qualified assessor. But there are major holes in the process of becoming compliant, and even greater challenges in staying compliant as networks are evolving, according to panelists discussing the issue at the NetEvents technology summit in Malta on Thursday. Hundreds of qualified assessors are attempting to audit hundreds of thousands of merchants, creating a potential gap in the system. Neil Hartsell, VP of product marketing at TippingPoint, said that although the high profile credit card security beach at TJX has stolen the headlines problems at small merchants also present a severe risk. For example the link between a card swiping device and a PC in a small store is often unencrypted, even though the date is encrypted after it leaves the computer. A keystroke logger planted on such machines therefore presents a sever security risk. "The problem is that small shops don't know PCI DSS exists and, if they do, they don't take the process seriously enough... SMEs are not able to make these kinds of decisions which ought to be the responsibility of vendors." Michael Bacon, head of information security at Xchanging, said small merchants using self-assessment will be tempted to just tick boxes saying they had set up a firewall or secured their network. Part of the problem is that assessors act more like consultants than health inspectors. "At the end of the day nothing will happen unless you take away their accreditation," Bacon said. Bacon criticised SOX compliance as a "wasted effort" from a security perspective because it failed to outline tactics for achieving strategic directions. PCI DSS is better because it outlines best practice, such as using a firewall and a secure wireless LAN, but doesn't go far enough, according to Bacon. "It's all very well saying users need to run a class of product but products need to be certified. There's no one agency to certify security products," he added. Bob Walder, chief scientist of NSS Labs, said that many merchants wonder why they should invest in PCI DSS compliance when it does little to help them sell more products. __________________________________________________________________ CSI 2007 is the only conference that delivers a business-focused overview of enterprise security. It will convene 1,500+ delegates, 80 exhibitors and features 100+ sessions/seminars providing a roadmap for integrating policies and procedures with new tools and techniques. Register now for savings on conference fees and/or free exhibits admission. - www.csiannual.com
This archive was generated by hypermail 2.1.3 : Thu Sep 27 2007 - 23:40:44 PDT