PCI Delivers Security Guidance as PCI-DSS 3.0 Looms
How secure is your PCI-compliant deployment?
There is a big different between compliance and security.
The PCI-DSS (Payment Council Industry Data Security Standard) is the measure against which e-commerce security is measured and it is now in the process of gearing up for a major update at the end of the year. Ahead of that update, The PCI Security Standards Council (PCI SSC) has issued new guidance on how organizations can better secure themselves.
"A lot of the exploits we're seeing today are older exploits that should not still be happening," said Bob Russo, general manager, PCI SSC. "This set of guidelines is an attempt by the community at large to make sure that people have guidance."
The full guidance document is not intended to supplant or add to the existing PCI-DSS 2.x standard. Rather, Russo stressed that the new document is all about guidance that precisely aligns with the current standards.
Russo explained that the guidance identifies areas of e-commerce and payment security that should be scrutinized. An important aspect of the guidance is that it looks at the areas where the PCI Council is seeing the majority of breaches. At the top of the list are SQL injection and cross site scripting (XSS) attacks. While they are not new attacks, they are consistently cited as the reason for the majority of breaches in any given year.
"These are exploits that are in some cases 12 years old. There are a myriad of ways to prevent these exploits within the PCI-DSS standard," Russo said. "This guidance provides more clarity to make sure that a merchant can make sure these items are top of mind."
Russo is confident that SQL injection can be stopped and prevented.
"Stopping a SQL injection is very simple, it's all about secure coding that you need to do," Russo said. "When you have coded something securely, there is no way that you can get a SQL injection there it's the issue of convenience trumping security."
In Russo's view, in an effort to get software out quickly, vendors can sometimes overlook proper security. He stressed that there are many ways to stop attacks as they become better understood.
"Most attackers are opportunistic and are looking for low-hanging fruit. They are finding it with SQL injection and XSS because people are not taking the time to code applications correctly," Russo said.
Compliance vs. Security
Though many e-commerce vendors are PCI-DSS compliant, that doesn't necessarily mean that they are secure. There is a fundamental difference between the two, Russo noted. As an example, he said that if you walk out the door of your home and don't lock your front door, you're not secure, even though you have a lock.
"You can be PCI compliant by having all the right things in place, but if you don't use them correctly, you're not secure," he said.
The new guidance document comes at a particularly interesting time for the PCI Council. 2013 is a release year for PCI standards.
New items will be discussed and presented at community meetings throughout 2013 prior to the release of the updated standards. The pre-release of the new PCI-DSS 3.0 standard is likely to happen in the September to November time frame. The new standard would then become effective on Jan. 1, 2014.
The PCI-DSS 2.0 standard will remain active for an additional year after the release of the PCI-DSS 3.0 standard.