Comments on: How Banks and Merchants manage their risk with PCI DSS

By: PCI punk

PCI punk — Sat, 27 Jun 2009 02:45:00 +0000

Attack vector based security risk management makes lots of sense. The problem is that many QSAs come from the “corporate” big5 auditor school and do not have the required skills or mindset of a potential attacker to perform the analysis or work required.

I have seen many reports by QSAPs who did the previous year’s assessment – where basic web application security flaws, such as XSS, was not adequately checked. This was mainly due to QSAP lack of web application security experience and skills.

The PCI Council needs to revise the minimum QSA experience and skills plus how this is verified. Right now many QSAs with not enough experience can easily pass the training and exam the PCI Council offers.

Another sad thing is that things seem to be geting worse than better. There are companies in the market that now offer “PCI lite” pen-tests, which are basically glorified automated scans. These have little or no attack vector based analysis to drive the testing scope and methodology.

Same goes for QSAs that do not spend enough time to define the proper scope across technology, processes and job roles. Assessments are rushed through and the requirements are not verified adequately to save time and cost.

If the PCI Council does not make the required changes, the whole PCI DSS program will soon become a joke with QSAs performing fast “tick in the box” assessments and non-serious companies performing fully automated vulnerability scans sold as a “pen-test”.

Do not get me started on the internal pen-tests, which are most of the time even more of a joke based on what most security companies are doing today, some of which are QSAs.

Most good QSAs I have spoken to who have both good business and technical security skills, have become more cynical to the whole PCI DSS scheme, the more they have been working on assessments.

Unless there are major changes and revisions done, there is only one way things will go in the future. It is not looking good right now …

By: admin

admin — Tue, 23 Jun 2009 06:48:02 +0000

Dominic, yes, I’m sure the banks and even card brands see many more attacks than does the individual merchant, but if you review the Verizon DBIR report (and others that cover the payments industry) we need only focus on a few factors.

We know that insecurities in partner or 3rd party connections account for 32% of data breaches. Do we spend 32% of our money on evaluating third party security? Do we even cover it more than PCI DSS Requirement 12.8?

I do like the PCI DSS but I think implementers need a data flow diagram (DFD) that walks them through the various business processes and what their options are for securing them. If we pair that with known risk and threat vectors (that have remained rather static over the years) we have a much better model for maximizing the usage of the PCI DSS and other scope reduction methods.

By: Dominic White

Dominic White — Tue, 23 Jun 2009 06:37:56 +0000

Interesting idea, if it were any other industry I would say you were wrong because the time effort and limited insight into attacks often results in rather poor efforts. But the CC industry has a nice centralised repository, allowing them to detect attacks even if the issuing bank or merchant don’t know about it (the card numbers in a breach all belong to X). I’m fairly sure that more breaches are detected by the payment brands than by their merchants (can you confirm this?). They should use their unique position and ability to analyse these attacks to provide a standard which prioritises based on attack vector, although this should be an additional weighting added to the prioritised approach.