04
Feb
09

Why The PCI Standards Seem To Constantly Change

One of the biggest complaints about the PCI standards is that they always seem to be changing.

The reason why this seems to be the case is that the security measures of networks and applications are always changing.  Why?  It’s the attackers.  Every time we close up one way in, they find another.  When the threats change, so do the tactics to secure resources.  Hence, the PCI SSC issues clarifications to the PCI DSS to address new threats.

As an example, in v1.2 of the DSS, you now have to conduct vulnerability AND penetration testing on the inside of your network.  Vulnerability scans at least quarterly and penetration testing at least annually or whenever significant changes are implemented.  Why?  For a number reasons that are the result of changes in the threat landscape.

  • First, because applications are becoming browser-based, you now not only have Web-based applications facing the big, bad Internet, but they are also on your internal network.  If they can be abused from the Internet, do you think they can also be abused on your internal network? You bet!
  • Second, it’s not just the Internet you have to worry about these days. You need to worry about your own employees. Huh? You think those 20-somethings you have working for you are working all of the time? They get breaks and they tend to want to surf the net. The other bad news is that in a lot of cases, your younger employees may know as much or more about your technology than your IT department. FBI statistics state that 70% or more of all attacks have an internal component. Either an attacker used social engineering to get information for accessing your network or computers or an insider is an active participant.
  • Finally, statistics point to security threats increasing on the inside of your network. Of course your IT department is on top of internal security, right? But, you haven’t funded a lot of security initiatives on the inside because you have all of those policies and standards that tell people not to do bad things to your network and the information you store. You have invested in all of those new browser-based applications. While those applications may not face the Internet, they still could be susceptible all sorts of vulnerabilities such as cross-site scripting or SQL injection attacks. And those vulnerabilities could be used to compromise your cardholder data as well as any other sensitive information.

All you have to do is look at the latest breaches such as Heartland and RBS.  They all had a strong internal component. In response, the PCI DSS is being adjusted to address the new internal threat.

So, if you want the PCI DSS and related standards to remain static, you need to stop the attackers from finding new methods of attack.

Advertisements

1 Response to “Why The PCI Standards Seem To Constantly Change”



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Announcements

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

February 2009
M T W T F S S
    Mar »
 1
2345678
9101112131415
16171819202122
232425262728  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,843 other followers


%d bloggers like this: