A post relating to this item from Finextra:
12 January, 2012
PCI security standards in the dock
A legal challenge to the payment card industry's PCI security standards is brewing in the US, as a Utah-based restaurant chain cries foul over the apparently "arbitrary" nature of the system and the level of fines imposed by Visa and MasterCard following an alleged breach of security.
It's terrific that merchants are increasingly pushing back on PCI-DSS. It really is high time we shifted the emphasis from ad hoc stop gap compromise measures, onto tackling the real problem: the replayability of account data.
Credit card numbers are a bit like nitroglycerine: handle them with great care or they'll blow up!
The slightest slip-up, the smallest weakness in database security in the face of sophisticated Advanced Persistent Threats, and tens of millions of card numbers are lost to criminals. PCI-DSS compliance is fiercely expensive, but all it does is protect
against accidents; it is powerless to stop determined attackers or corrupt insiders.
Is it fair to hold merchants responsible for the highly technical handling procedures of the PCI-DSS regime, when instead the card companies could stabilise their highly volatile card data?
The fundamental problem with payment card safety (as is the case with most digital identity security) is that numbers are replayable. It's child's play to take account data and replay it against unsuspecting merchants, either via cloned mag stripe cards or
even easier, in online CNP fraud.
Yet with chip technologies now widespread, and digital signature primitives ubiquitous in computing and Internet platforms, it's nearly trivial to eliminate replay attacks. Not only could we dramatically reduce the cost of stolen card details, we'd pull the
rug out from under organised crime, and we'd boost privacy by cutting the vicious cycle of gathering more and more ancillary personal data for proving customer identity.
Stephen Wilson, Lockstep, Sydney, Australia.