Corsaire, an information security firm, has warned businesses against over-confidence that the Payment Card Industry’s Data Security Standard (PCI DSS) will keep their customers’ data safe. This comes in the wake of several recent security breaches, including those at Heartland Payment Systems and other firms that had passed their PCI DSS assessment.
Briefly, the PCI DSS is a set of specific requirements for enhancing payment account data security. The standard was developed by the PCI Security Standards Council, to help facilitate the broad adoption of consistent data security measures. Founding members of the council include American Express, JCB International, MasterCard, and Visa.
The PCI DSS outlines the regulations that organisations should follow if they expect to process debit and credit card payments, either directly or as a service provider to another company. Compliance with these standards covers everything from ensuring that organisations are building and maintaining secure networks, to having an information security policy in place to protect cardholder information.
"First of all, let me say that – if used correctly – the PCI DSS can provide a valuable, base level of data security," says Jane Frankland, Commercial Director, Corsaire "However, the PCI DSS was never meant to be a security programme in itself: it was actually intended to formalise contractual requirements for minimum security within organisations that must interact with the banks and credit card companies. However, the PCI DSS has been often used as form of public seal of approval, to show that an organisation is secure – and that isn’t necessarily true."
In particular, the infosec firm points to a number of common security myths – all of which are false – which can quickly undermine the viability of PCI DSS, such as:
AV scanners can detect all malware and viruses
Simply focusing on the Open Web Application Security Project’s (OWASP) Top 10 web application security flaws is enough to make an application secure
Having a security policy in place means that a company is secure
Web Application Firewalls (WAF) protect against attacks on a web server.
According to Corsaire, computer ‘hackers’ will exploit these areas of weakness, and will in fact go to extraordinary lengths to compromise a financial application, as the spoils are just too tempting. Any applications which process financial data, therefore, should have proportionally higher requirements for data confidentiality and transaction integrity.
As such, instead of relying on a ‘one-size-fits-all’ approach favoured by schemes like the PCI DSS, the IT firm recommends that businesses use these guidelines as a starting point, before augmenting them with specific security requirements that have been uniquely tailored to their organisation and circumstances. In addition, any solid security policy should include developer education, plus regular security testing checkpoints.
"Complying with the PCI DSS is certainly a good starting point for protecting credit card data, but it will not automatically make an organisation secure; it will only make them compliant with that particular standard," Frankland adds. "After all, just because somebody has a driver’s license, it doesn’t necessarily mean that they’re a good driver."
