While there has been much speculation about the expected update to the Payment Card Industry (PCI) Data Security Standard, major stakeholders Visa and MasterCard both remain mum on the details. But application security, which has been increasingly under the microscope in the larger security community, looms as a concern – and how stringent, or not, any updates to the standard may be in this area.
The PCI standard includes recommendations for scanning applications for security vulnerabilities, but "it doesn't solve the problem," said Khalid Kark, a senior analyst at Forrester Research Inc. in Cambridge, Mass. Application security also involves ensuring packaged applications meet security standards before they are purchased, training developers to develop securely, and all the people issues around security, he said.
"So getting to the root of issue is the thing," Kark said, "and that is hard to put into a standard and stipulate."
The PCI Data Security Standard was created in 2004 by MasterCard and Visa; other payment brands have since joined this effort. The intent is for merchants and service providers to assess the status of their security by using a single set of security requirements for all payment organizations. Each payment brand has its own compliance policies and procedures. An update to the requirements was expected this summer.
Some in the industry are concerned that the update might water down application security requirements in an effort to boost compliance.
"PCI recommendations in 2005 not only included network stuff, but the Web application layer as well. It outlined that scanning vendors must scan for the top 10 OWASP security vulnerabilities. That was a good place to start," said Jeremiah Grossman, founder and chief technology officer of White Hat Security, which MasterCard has certified as a PCI scanning vendor. "The expectation [of the update] from what's been released into the wild is that scanning vendors will be required to scan for SQL injection and cross-site scripting and that's it. SQL injection and cross-site scripting are definitely a risk, but they're not the only threats."
Erik Peterson, vice president of product management for Atlanta-based SPI Dynamic, which Visa recently invested in, said he has heard similar indications that SQL injection and cross-site scripting will be the main focus for vulnerability scanning.
Grossman cited the difficulties of PCI compliance as possible reasons why. "I think they had difficulty with the testing process; assessing Web sites is a hard process. It's not as simple as network scanning. Perhaps they felt the only option was to downgrade to a commonality that everyone can do all time and use that as a basis to build up the standard over time," Grossman said.
Both Visa and MasterCard, contacted for this article, had similarly worded responses to the speculation.
Christina Rae, vice president, Global Technology Communications, MasterCard International, wrote in an email: "MasterCard along with other payment brands, including American Express, Discover, JCB and Visa, are currently considering potential recommended updates to the PCI Data Security Standard based upon feedback provided by other industry stakeholders. A date for release of a revised standard has not yet been determined. However, there are no plans to make any of the PCI Data Security Standard requirements less robust. Any future enhancements to the standard are intended to foster broad compliance without compromising the underlying security requirements of the current standard."
Forrester's Kark said that rather than specify things such as SQL injection, he would like to see the standard aim at a higher level.
"A lot of people are saying even the current standard is too specific," he said. "Every environment is different. You want to stay at a higher level rather than point to specific levels of application security and say 'protect against those.' The companies I talk to now are having a hard enough time trying to be compliant. Some companies that do want to comply are not able to because of the unique circumstances of their environment."
Hope for improving standards process
Another concern for some is the PCI standards process. "One thing I haven't seen the PCI group do is circulate with the community," Peterson said. "They've used material from the community, like OWASP, but there's not a good two-way communication. We have offered feedback, and spoken directly to Visa, but they haven't yet truly embraced sharing data, to be honest. But they have given us the opportunity to mention a thing or two about what we think. I think as we build relationships, that will change over time."
The process could become more transparent if the PCI group turns the Data Security Standard over to a standards body, which it is expected to do.
"All we can say at the moment is Visa is in active discussions with other payment brands, including American Express, Discover, JCB and MasterCard, regarding the creation of a standards body that will be responsible for owning, maintaining and managing the PCI Data Security Standard. We believe this is an important step toward enhancing the security of electronic payments and anticipate the organization will be launched later this year," wrote Simon Barker, director of global corporate relations at Visa International, in an emailed response.
In the meantime, Kark advised application security vendors that are trying to capitalize on the market opportunity the PCI standard creates to remember that "compliance" has become "a dirty word" for chief information security officers (CISO).
"When you talk to chief information security officers, they don't want to hear compliance. Every vendor says they can do [PCI compliance], and it hasn't really panned out for lot of the products. I tell vendors, if you mention compliance, mention exactly what you can do, where you add value. You could say you can help with new regulations, but don't say it's PCI compliance. Be realistic about setting expectations. CISOs are really frustrated now."