Oracle CSO Trashes PCI Rules
Three-year-old requirement to release vulnerability details when found is misguided and dangerous, Davidson says
Fri, April 06, 2012
Computerworld — In an unusual move, Oracle chief security officer Mary Ann Davidson has called on vendors of payment application software to join her company in opposing specific security vulnerability reporting requirements of the Payment Card Industry Security Standards Council.
In a lengthy, sharply-worded blog post late last month, Davidson lashed out at the PCI Council for allegedly not responding to Oracle's repeated requests that it reconsider its policy of requiring software vendors to share detailed vulnerability data even in circumstances where patches haven't been released.
"Established industry practice concerning vulnerability handling avoids the risks created by the [PCI Council's] vulnerability disclosure requirements," Davidson said.
By insisting that vendors divulge detailed vulnerability and exploit information as soon as a flaw is discovered, the PCI council puts vendors and customers at risk, Davidson contended.
"Make sure you tell your customers that you have to rat them out to PCI if there is a breach involving the payment application," she said.
The PCI Security Standards Council develops and administers a set of security standards that all entities handling credit and debit card data are expected to use.
The council was established in 2006 by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
About three years ago, the council released the Payment Application Data Security Standards (PA DSS), a set of baseline security-standards for payment application software.
The standard requires all developers of payment applications to implement specific security controls in their products and to submit to periodic PCI Council security assessments.
All retailers and other entities handling payment card data are required to use only Validated Payment Applications (VPA) when processing payment card data.
Davidson said she objects to the PA DSS requirement that software vendors submit detailed technical information and exploit details on any security flaws in their products to the PCI Council.
Vendors have been obligated to comply with the requirements since August 2010 so it's not clear why Davidson is raising the an issue now. It could be because the PCI Council is currently asking stakeholders for feedback on the development of the PA DSS standard release.
Davidson was not immediately available for comment on the blog post.
In her post, Davidson called the PCI Council's disclosure requirements "extraordinary and extraordinarily bad, short-sighted and unworkable. Specifically, PCI requires vendors to disclose (dare we say 'tell all?') to PCI any known security vulnerabilities and associated security breaches involving [Validated Payment Applications] ASAP."
The Council could "blab" about the vulnerability details to third-party security assessors, or to any affiliate or agent of those entities as well their employees, contractors, merchants, processors, service providers and others, Davidson contended. "This assorted crew can't be more than, oh, hundreds of thousands of entities. Does anybody believe that several hundred thousand people can keep a secret?" Davidson noted in her blog.