Why PCI isn’t enough to ensure data security today?
Ounce Labs thinks it’s critical for consumers to know that, in many instances, their credit card data is still not secure:
” Compliance statistics are miserable with less than 50% of merchants able to meet the minimum standards of PCI DSS.
” Even when merchants do comply, some portions of the standard are worded in ways that are open to interpretation.
” Published reports have appeared that some unscrupulous auditors are taking advantage of non-compliant merchants by forcing them to utilize the auditors compliance services in order to pass – a blatant conflict of interest that compromises the integrity of the PCI audit process.
” V 1.1 of the standard – which doesn’t take full effect until 2008 – suggests, but doesn’t mandate, that custom application code be reviewed for common vulnerabilities by an organization that specializes in application security. However, human beings are notoriously unreliable code scanners. A variety of factors, including simple fatigue, limit the ability of individuals to scan millions of lines of unfamiliar code to identify subtle vulnerabilities.
Unfortunately, since many, if not most, data breaches can be directly traced to exploitable application vulnerabilities, this means that you still can’t count on your credit card data being kept under lock and key.