PCI DSS little deterrent to payments crime

John Kavanagh
There were plenty of sceptics at last week's Payment Card Industry Data Security Standard Compliance Conference in Sydney, who argued that the industry's security standards were not good enough to stop the rising rate of cybercrime.

A number of speakers took aim at the Payment Card Industry Security Standards Council, saying its PCI DSS standard was flawed.

A director of the security consultant earthware, David Kaplan, said PCI DSS was like an audit requirement - companies did as little as possible to meet the standard and were apathetic about ongoing monitoring and analysis.

He said the other problem with the standard was that it was always catching up with new technology.

"Organisations put in a new widget and they don't know how to keep it secure. They think they are compliant but they don't see the problem coming."

Kaplan said the claim by members of the PCI Security Standards Council that no organisation that is PCI DSS compliant has been breached was wrong.
 
The managing principal for investigative response at Verizon Business Security Solutions, Mark Goudie, said: "PCI DSS is not a failure, but it is no more than a minimum acceptable standard.

"The biggest flaw is event monitoring and log analysis. It is complicated to go through that mass of data and a lot of organisations are not doing it. That is why attackers are inside systems stealing data for an average of seven months before they are detected and why most breach notifications come from outside the company affected.

"The other big problem is that companies are storing data they don't even know about. In our investigations two-thirds of data was stolen from companies that did not know they held that data."

The managing director of Lockstep Technologies, Stephen Wilson, said PCI DSS was a "patch" designed by payment card companies in the hope that they could avoid forcing merchants and financial institutions to use more complex, expensive and time-consuming procedures like encryption and two-factor authentication as a standard part of every transaction.

Wilson said the solution would not come until payment industry participants were all using dynamic data and stopped storing customer information.

Wilson said: "We need a standard like PCI DSS because merchants like to store customer data. Let's overturn that. When the card number is replaced with a token that generates a unique transaction password the problem of storing millions of cardholder identities goes away."