Tuesday, September 05, 2006

Questions loom over PCI compliance

A timely article by SearchAppSecurity, Expected PCI standard update raises concerns for Web app security, digs into the webappsec PCI standard mystery. The question is are the powers that be going to gut the PCI standard? According to communication received by certified PCI scanning vendors, there is supposed to be a drop of 8 of the OWASP Top 10. Leaving only Cross-Site Scripting (XSS) and SQL Injection. Then almost contradictory, a MasterCard spokesperson said: "...there are no plans to make any of the PCI Data Security Standard requirements less robust. Any future enhancements to the standard are intended to foster broad compliance without compromising the underlying security requirements of the current standard." As always the answer to 99 questions out of 100 is money.

For those unfamiliar, the Payment Card Industry Data Security Standard (PCI DSS) is a mandate from Visa, MasterCard, AMEX, Discover, and JCB dictate how merchants (handling over 20K CC transactions per year) must protect the data. Merchants must also have their publicly facing networks and websites scanned for vulnerabilities every 3 months by a certified scanning vendor (WhiteHat Security is on the list). Network scanning is fairly common and reasonably inexpensive. For anything less than a class-C network, it'll normally cost only several thousand dollars since the process is highly commoditized and supremely automated. To contrast, web application security assessments typically run anywhere from 8K to 20K per website. Web application security assessments take quite a bit of technical expertise and the process is comparably manual (including scanning for XSS and SQL Injection). While continuous services like WhiteHat Sentinel are pushing costs down and quality up, pricing is still going to be off from that of network layer scanning.

The credit card brands would love to enforcement really strong standards. The key factor is customer adoption. Many, perhaps most, of the larger merchants are already moving towards a continuous and comprehensive webappsec program regardless of PCI. However, smaller and mid-sized merchants may revolt if the jump in cost of doing business to comply is too great. The PCI DSS committee's challenge is a finding the proper balance between security and afforable pricing. They're asking themselve's, "What if we say only scan for the suff that can be automated? 1) Will that be cheap enough? 2) Will that make a difference in website security"?

1) Possibly
Too much cost is relative to the merchant and the number of websites they happen to have. Obviously paying nothing is more desirable to paying anything. It's the responsiblity of the scanning vendors and the market opportunity to drive cost-effective solutions. (Bias warning: I think WhiteHat Sentinel is that solution)

2) Definitely not.
I'll keey saying it. It only takes a single vulnerability to seriously impact an online business. The bad guys know that. Unless your prepared to find all the vulnerabilities all the time (the goal), what you are not getting is security.

1 comment:

Anonymous said...

Since im currently working on the new Top 10 and also have spent a load of time understanding the weak requirements of the PCI, I can honestly say the way Mastercard/VISA have handled this is pathentic.

Tho, as you said, its all about money in the end