PCI DSS 3.0 is an Evolution, Not a Revolution

The primary goal of the Payment Card Industry Data Security Standard (PCI DSS) is to protect the confidential user information on credit cards.

By Taylor Armerding
Thu, January 16, 2014

CSO — The primary goal of the Payment Card Industry Data Security Standard (PCI DSS) is to protect the confidential user information on credit cards.

[CSO's guide to the Target data breach]

So, an obvious question, given the news of the past several weeks, is whether the massive breach of retailer Target could have been avoided, or at least discovered in fewer than 19 days (the breach reportedly lasted from Nov. 27-Dec. 15), if the company had been in compliance with the latest update of the standard, known as PCI DSS 3.0, which took effect Jan. 1, but will not require full compliance until the beginning of 2015.

Not likely, according to several experts, even though Requirement 9.9 of the standard calls for organizations to physically secure their Point of Sale (PoS) terminals. Requirement 5 could also apply; it calls for organizations to protect all their systems against malware.

As Target CEO Gregg Steinhafel acknowledged in his recent "apology tour" of the major television networks, the company's PoS systems had been infected with malware.

Still, experts said the new standards would probably not change the outcome, and at this point, with the investigation incomplete, it is impossible to say for sure. The mantra in the security industry remains: "There is no such thing as 100% security."

"Requirement 5 already existed in version 2.0 and very little changed in 3.0," said Chris Camejo, director of assessment services at NTT Com Security, noting that it is easy for attackers with programming capabilities to write custom viruses that will not be detected by anti-virus -- so-called "zero-day attacks."

"Those targeted by custom malware would have to rely more on their ability to detect and respond to the attack itself via network monitoring than on the ability of anti-virus or IPS to block as-yet unknown custom attack code," he said.

Camejo and others also said Requirement 9.9 would not have helped, since it did not appear that there was physical tampering with Target's PoS devices. "Malware can be spread across the network without physically interacting with the PoS, and given the scale of the breach at Target I suspect that this attack was conducted mostly or entirely over a network," he said.

[Collisions likely over PCI 3.0]

Julie Conroy, an analyst at Aite Group, agreed that compliance with PCI DSS 3.0 probably would not have helped. "Protecting systems against malware is already something most retailers, particularly the large ones, are trying to do," she said. "Given the breadth of systems impacted, the attack on Target appears to have been quite sophisticated."

Continue Reading

Originally published on www.csoonline.com. Click here to read the original story.
Our Commenting Policies