Slashdot Mirror
Credit Card Security Standard Issued
alphadogg writes "The Payment Card Industry Security Standards Council, the organization that sets technical requirements for processing credit- and debit-cards, Wednesday issued revised security rules, while also indicating next year it will focus on new guidelines for end-to-end encryption, payment machines and virtualization. PCI adherence has been pushed big time in the industry to help avoid more big breaches such as the one involving TJX. Those familiar with the standard say it could be expensive to implement and that there are some things those using wireless LANs will need to pay especially close attention to."
I think you answered your own post. The EU is more up to speed because security has been regulated (fraud is the merchant's problem in the US, not the bank or processing network). Card issues care less about security and more about transaction volume.
I can't explain why our banking system sucks though. I would've thought we'd be ahead of the curve when it comes to moving money electronically. *shurgs*
RFID is everywhere in Europe - just not on the credit cards. Yet. But the situation is changing.
The US is skipping on the chip-n-pin because it makes sense for them to jump directly to the RFID cards, which are physically more durable, and allow for different form factors (like mobile phones or keyfobs).
The RFID card security problems currently can be attributed to flawed security design, not to the technology itself. We trust TSL over WiFi, and WiFi is far more easier to skim than RFID comms.
You misunderstand the system.
Credit card companies and banks make money from fraud. You (as a customer) pay for insurance that they use to cover the fraud. They have no incentive to change. Changing will just cost them money and won't affect their bottom line.
At least, that's been the situation for decades. However the consequences of handing billions to criminals is starting to have an effect. The criminals have billions in assets, and can leverage those for bigger and bigger forms of fraud, and they are.
I don't really want to hear any more of this crap about how they're going to "segment" my secret pieces of information behind a firewall. The whole system is a house of cards, built on "secret pieces of information" and heuristics about the kinds of transactions fraudsters perform. Once someone has stolen all the relevant secret pieces of information, all bets are off and the system has failed. These "secret" pieces of information are not hard to obtain, and adding more secret pieces of information (i.e. CVV2) is absolutely not a solution. I want end-to-end encryption and transactions which don't need to be perpetually stored in a database alongside my secret pieces of information.
In short, I want electronic, encrypted cash. When my wallet is stolen and not worry that I will lose any more than the cash actually in the wallet. I don't want to have any more transactions denied because I traveled to a foreign country.
But most importantly, I want to take those billions out of the hands of criminals.
1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
That's because PCI-DSS covers weak passwords but doesn't really test for them.
PCI is more about documentation and network layout than anything else. When my company did my audit they demanded segregated backend/ front end networks, SNORT machines on both and then followed up with a "pennetration test" that checked for common web server exploits and misconfiguration and the security scan actually encouraged us to hide all of the version numbers.
The upshot of all of this is that some of the things I had to do made things more secure but most of them were things that would look good on paper. I can still do things like not change passwords when people leave or put them on a paper I keep on a bulletin board and still keep my cert.
I shudder when I think of one company that I worked with. They are a very high level financial institution. Guess what their AIX HMC passwords are? Can you get to them from the outside world? Yep. Could I down their production servers, a year after I worked there? Yep. Are they considered compliant to DSS/PCI standards? Yep.
I suppose AIX servers were in PCI environment (otherwise your comment is out of scope).
Then the situation you describe probabely violates the following requirements:
req. 2.1: "Don't use default passwords"
req. 8.5.4 "Immediately revoke access for any terminated users."
req. 8.5.5 "Remove/disable inactive user accounts at least every 90 days."
req. 8.5.6 "Enable accounts used by vendors for remote maintenance only during the time period needed."
req. 8.5.8 "Do not use group, shared, or generic accounts and passwords."
req. 8.5.9 "Change user passwords at least every 90 days."
req. 8.5.10 "Require a minimum password length of at least seven characters."
About the fact that you can connect to servers from outside: that means no segmentation which in its turn means that the whole internet is to be considered as part of the PCI environment of this company.
Now please tell me by WHOM are they considered compliant?
Being financial institution means that they are provider (and may be merchant too) they certainly have to be audited by a QSA (self assessment questionnaire would not be sufficient) which could mean one of tho things:
The QSA did not his job properly
The company concealed things form the QSA
The problem with PCI is that it's a great deal of expense and trouble attempting to overcome a fundamental weakness in the system: That the card number is used as identification and authentication and by itself is sufficient to process a charge.
For the inevitable car analogy, it's like removing the door locks and replacing the ignition lock on a car with a simple toggle and pushbutton, then equipping the garage with a $10,000 state of the art security system and calling it good enough (completely ignoring that the car is parked in a public lot for 8 hours a day).
The fact remains that from time to time, you will have to give your credit card to some person you don't know who will disappear into a back room with it for 5-10 minutes.
If they would actually use the smart chips on the cards for more than security theater, the security (or lack thereof) of the processing system would be irrelevant.