Most retailers and other businesses are continuing to struggle with payment card industry standards, placing confidential customer data at a heightened risk of exposure as a result. A Payment Card Industry (PCI) Compliance Report from Verizon found that just one in five (21 per cent) organisations achieved compliance during …
The real problem
is that PCI is overly onerous and yes still allows such bullshit as Verified by Visa to exist
PCI DSS audit procedures are rubbish, too
I'm wondering if these statistics are actually worth anything ...
I've seen questionnaire-based PCI DSS audits where the auditors themselves didn't understand their own questionnaire, or demanded answers to question which were not applicable to the situation (such as whether media containing payment data are handled by specially instructed staff during transport, when payment data isn't ever transported by physical media).
There was even one case where a truthful answer would have meant failing the audit, while the "correct" answer was obviously nonsensical: The audit form required my client to state that the systems processing credit card data are not connected to any other devices or networks, when in fact they were using a web-based transaction processing service (and the provider of this very service initiated the audit)! In the end, *the auditor knowingly told us to provide false information* in order to pass the audit.
So I guess even among the 21 % who pass are a number of companies who simply lie during the audits - sometimes at the auditor's request, as in the case I witnessed, but probably otherwise as well. This isn't very surprising either as they are often under the threat of having their payments - i.e. their revenue stream - cut off at short notice.
On the other hand, I guess among the other 79 % are quite a lot of companies that do have adequate security, yet made the mistake of answering the questionnaires honestly and were tripped up by some idiotic question.
BTW, there's a wonderful tale of an auditor demanding usernames and passwords for all employees of a company over at serfault: http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants
According to Sturgeon's Law your statistics are well over what they should be.
Jesus F'ing Christ, what do they expect? The cost of becoming PCI-DSS compliant is extortionate for most businesses. Most small and medium sized enterprises would be put out of business if they were forced to become PCI-DSS compliant (which is what the banks are trying very hard to do).
Considering the state of the global economy, the banks should be glad they have the business, not trying to destroy their own client's finances by insisting they jump through all kinds of ridiculous hoops.
Yet another argument for Data Breach Legislation
This is another example of why the UK needs data breach legislation.
If you have to publically anounce you have been breached, then businesses will find it cheaper to be secure than out of business when everybody stops using their insecure web shop.
We should also have the IT security audits included in the company anual returns, so that the share holders, customers and business partners can see what they are dealing with.
The other thing to note is that Security is only expensive if you do not consider the cost of being insecure (e.g. $2bn at UBS)
The PCI-DSS standards are ridiculous.
For example, if you use an off-the-shelf package, it's supposed to be PCI-DSS certified. But if you use something bespoke, you can exempt it from this requirement and just self-certify it.
So that open source package which has been developed and honed over several years, and is in use by thousands of sites, can't be used. But you're free to hire some guy out of school in a third world country to knock up a site for you bespoke, with all manner of security issues like SQL vulnerabilities and XSS, and it's perfectly ok.
It should be pointed out that compliance itself is not necessarily the expensive part. The expensive part is certification, which some insist is a requirement but it's still rather unclear.
But the whole PCI-DSS thing is somewhat irrelevant anyway, since there is a simple way to exempt your site from the requirements. Just use a certified level 1 gateway such as Paypal, or virtually any other payment processor where users are directed off to the gateway's own secure pages for inputting card data. As long as it is level 1 certified, you're effectively not handling card data so your site is exempt from PCI-DSS.
I think this is really the actual point of PCI-DSS; to encourage the vast majority of businesses to eschew handling card data themselves and outsource it to dedicated companies whose business is precisely that.
The problem is that VISA/MC don't do enough to tell people this is how simple being compliant is. Instead they present you with all these forms and technical requirements, not to mention expensive licensing regimes. And of course, those shopping cart systems that are PCI-DSS like to go round scaring people into thinking they must use such a cart, when in fact using a third party gateway is cheaper, simpler and fully PCI-DSS compliant.
Yep, that's exactly what we're doing: using a certified third-party PSP. That's a lot simpler than trying to get the whole organisation PCI-DSS compliant!
Too many false positives
Since this is failing the initial compliance audit then it will include huge numbers of false positive results from the security scan on most systems. I regularly see things like openssh version must be >= 5.whatever complaining about the 4.3 that's used on RHEL5 systems even though Redhat backport all the security fixes to their version.
Pass or Fail
Too much of the audit is Pass or Fail, when in reality proper security is built in layers and has true synergy - the whole is greater than the sum of the parts. Not every layer is necessary, but the more the better.
Perhaps PCI needs to revamp the review process and score on a sliding scale. Each security layer or control scores points, and a rating can then be generated. The best companies will score highly, however those on slightly lower scores are probably still pretty good at PCI. As the report says, those with low scores will typically be those with breaches.
US, Europe, and Asia, so there won't be many British operations.
In the last week, I've made orders through both British and US companies.
In both cases they were companies I had dealt with before.
The British company did ask for the 3-digit security number from the back of the card.
The US Company was satisfied with my username/passowrd combo.
Neither used the sort of checking scheme (e.g. "verified by Visa") which was being hyped last year.
Its a crock of shite.
The form required is too complex for a small business that only uses a PDQ terminal.
continuing to stubble to make a passing grade...
Some people seem to really stubble with PCI standards but actually they are not all that complicated. The problem is that a few businesses are exploiting the market to capitalise on people's fear of not being compliant. It is indeed true that they are charging far too much for small businesses to afford, but the point is they shouldn't need to charge that much - as less work should be required for a small and less complex scenario.
An easy way to get around the obligation is simply to use a payment gateway such as PayPal.
There is far too much FUD around the PCI standards. We have come across small businesses being told by their bank that they need to spend £100K to become compliant, even though they don't even store any card details and therefore PCI DSS does not apply to them.
I think everyone will agree that VbV is just a great big pile of stinking non-security.
PA-DSS is a joke
The PA-DSS which applies to payment applications (including online shopping carts) is a joke. Its hardly surprising few bother to adhere to any of this nonsense.
When you read it it becomes clear that its written with shop and restaurant terminals in mind - yet they try and apply it to shopping cart software which probably make up the vast bulk of payment applications.
As Cap'n points out - you can avoid the PA-DSS by passing up the opportunity to use a professionally created shopping cart, or one built by a thriving open source community, and instead write one yourself, or get your next door neighbours son (who knows a bit of php) to do that.
Just like the health and safety industry, PA-DSS and PCI-DSS is a good idea implemented by ignorant bureaucrats and latched onto by smarmy chancers who take a course to become "consultants" passing judgement on people who probably know more about it than them.
As a consequence certification is so expensive (costly more to get than to develop the product in many cases) that very few products have it... as a consequences the banks have been rather liberal about requiring it, kind of defeating the point of the whole process.
Compliance is not the same as secure, PCI-DSS is a good starting point BUT should only be used as a building block and then work your way up from there.
No wonder security is poor...
...if this load of comments is indicative of the general understanding of PCI DSS & security in general.
"if you use an off-the-shelf package, it's supposed to be PCI-DSS certified. But if you use something bespoke, you can exempt it from this requirement and just self-certify it." - RUBBISH! The point of PA-DSS is to ensure that off-the-shelf payment application software can be set up and maintained in a PCI DSS compliant manner. Far too many off the shelf packages actually prevent achieving PCI compliance because they do something stupid, like intentionally store CVV2 values. It is a way of getting vendors to produce software that does what it needs to do from a security perspective. If you develop the software yourself, then you can make sure the software does what is needed yourself.
"The form required is too complex for a small business that only uses a PDQ terminal." - then you are using the wrong form (there are five of them, one of them specifically for PDQ terminals).
"The cost of becoming PCI-DSS compliant is extortionate for most businesses. Most small and medium sized enterprises would be put out of business if they were forced to become PCI-DSS compliant" - There are a whole load of things that can be done for free or at minimal cost to facilitate compliance. It does not require a £10k firewall or a 12 month Identity & Access Management programme (though some will try and convince you it does).
The truth of the matter is that most company's perceptions of their own security are far from their actual reality. I have seen e-commerce merchants with no anti-virus at all, corporates running web servers on platforms that went end-of-life years ago and even banks with absolutely no security audit logging on their systems.
Keep telling yourselves PCI is a joke if that's what you want to believe, but without it, security for most companies will only improve after the horse has bolted.