Where PCI DSS Still Falls Short (and How to Make it Better)
Former CISO and Symantec strategic consulting director Ariel Silverstone goes through PCI DSS line by line and offers suggestions to make it more effective.
Ariel,
I agree with most of your comments. In fact, I have one suggestion of my own. The PCI DSS recommends the use of an anti-virus for protecting systems from malware. Unfortunately, even the best anti-virus will not distinguish a well written data siphon program from a legitimate payment processing app. Under these conditions, is it acceptable to just implement an anti-virus or should organizations look into complementary or alternative technologies to prevent such data leaks?
Many vendors like Solidcore, Third Brigade and CoreTrace are pushing a whitelisting technology which is highly effective in stopping unauthorized applications. It will be great if PCI DSS enhances the language of section 5 to approve the use of these emerging technologies. I know many organizations that are doing so, but only after fighting to get the approval from their auditors. It is ironic that most auditors prefer ineffective anti-viruses over a technology that has been proven to offer better security.
While I applaud and agree with many of your comments, there will never be a true debate or review of PCI standards. The PCI Standards Organization is a FOR PROFIT private organization whose controlling partners are Visa, MasterCard, American Express, Discover and JCB. Not only is the PCI Standards Organization not a recognized standards writing organization, but comments and reviews done by its membership on the standards are feedback only and may or may not be incorporated into the standards themselves which is dictated by the controlling partners.
PCI Standards Organization generates its income by through the certification and licensing of its assessors (note I said assessors not auditors, because there is no accountability for either them or PCI Standards Org.) and now payment software. However, they have no liability for faulty or inadequate reviews. In fact, most recent compromises were for organizations that had been "certified" compliant. Of course per the payment card associations, because they had a compromise they were "obviously not compliant".
Where PCI DSS Still Falls Short (and How to Make it Better)
Former CISO and Symantec strategic consulting director Ariel Silverstone goes through PCI DSS line by line and offers suggestions to make it more effective.
» View Article
Ariel,
I agree with most of your comments. In fact, I have one suggestion of my own. The PCI DSS recommends the use of an anti-virus for protecting systems from malware. Unfortunately, even the best anti-virus will not distinguish a well written data siphon program from a legitimate payment processing app. Under these conditions, is it acceptable to just implement an anti-virus or should organizations look into complementary or alternative technologies to prevent such data leaks?
Many vendors like Solidcore, Third Brigade and CoreTrace are pushing a whitelisting technology which is highly effective in stopping unauthorized applications. It will be great if PCI DSS enhances the language of section 5 to approve the use of these emerging technologies. I know many organizations that are doing so, but only after fighting to get the approval from their auditors. It is ironic that most auditors prefer ineffective anti-viruses over a technology that has been proven to offer better security.
My $0.02
While I applaud and agree with many of your comments, there will never be a true debate or review of PCI standards. The PCI Standards Organization is a FOR PROFIT private organization whose controlling partners are Visa, MasterCard, American Express, Discover and JCB. Not only is the PCI Standards Organization not a recognized standards writing organization, but comments and reviews done by its membership on the standards are feedback only and may or may not be incorporated into the standards themselves which is dictated by the controlling partners.
PCI Standards Organization generates its income by through the certification and licensing of its assessors (note I said assessors not auditors, because there is no accountability for either them or PCI Standards Org.) and now payment software. However, they have no liability for faulty or inadequate reviews. In fact, most recent compromises were for organizations that had been "certified" compliant. Of course per the payment card associations, because they had a compromise they were "obviously not compliant".
Dirty Tricks: Social Engineers' Favorite Pickup Lines
Tabletop Exercises: 3 Sample Scenarios
19 Ways to Build Physical Security Into Your Data Center
Get instant notifications when whitepapers, webcasts and case studies are added to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
» More blogs
CSO Perspectives
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
Trend Micro ranked #1 against real-world malware. Read more.
64-page prescriptive guide to security, compliance, and IT operations.
Removing Barriers To Better Server Virtualization Efficiency
Mining for Gold: Cybercrime Prevention and the Role of Log Management
The Executive Guide to Data Loss Prevention
Organizations can spend up to 50% more on compliance efforts than necessary.
White Paper: A Security Blueprint Delivered From within the Network
Read the RSA report: Security for Business Innovation
Upgrading to VMware vSphere with vWire
Explore the increasing importance of log management as cybercrime threats grow.
The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
Implementing Best Practices for Web 2.0 Security
Five Ways to Reduce Your IT Audit Burden
THE IDG NETWORK