Skip Links

PCI DSS 3.0 is an evolution, not a revolution

By Taylor Armerding, CSO
January 16, 2014 12:22 PM ET

CSO - The primary goal of the Payment Card Industry Data Security Standard (PCI DSS) is to protect the confidential user information on credit cards.

[CSO's guide to the Target data breach]

So, an obvious question, given the news of the past several weeks, is whether the massive breach of retailer Target could have been avoided, or at least discovered in fewer than 19 days (the breach reportedly lasted from Nov. 27-Dec. 15), if the company had been in compliance with the latest update of the standard, known as PCI DSS 3.0, which took effect Jan. 1, but will not require full compliance until the beginning of 2015.

Not likely, according to several experts, even though Requirement 9.9 of the standard calls for organizations to physically secure their Point of Sale (PoS) terminals. Requirement 5 could also apply; it calls for organizations to protect all their systems against malware.

As Target CEO Gregg Steinhafel acknowledged in his recent "apology tour" of the major television networks, the company's PoS systems had been infected with malware.

Still, experts said the new standards would probably not change the outcome, and at this point, with the investigation incomplete, it is impossible to say for sure. The mantra in the security industry remains: "There is no such thing as 100% security."

"Requirement 5 already existed in version 2.0 and very little changed in 3.0," said Chris Camejo, director of assessment services at NTT Com Security, noting that it is easy for attackers with programming capabilities to write custom viruses that will not be detected by anti-virus -- so-called "zero-day attacks."

"Those targeted by custom malware would have to rely more on their ability to detect and respond to the attack itself via network monitoring than on the ability of anti-virus or IPS to block as-yet unknown custom attack code," he said.

Camejo and others also said Requirement 9.9 would not have helped, since it did not appear that there was physical tampering with Target's PoS devices. "Malware can be spread across the network without physically interacting with the PoS, and given the scale of the breach at Target I suspect that this attack was conducted mostly or entirely over a network," he said.

[Collisions likely over PCI 3.0]

Julie Conroy, an analyst at Aite Group, agreed that compliance with PCI DSS 3.0 probably would not have helped. "Protecting systems against malware is already something most retailers, particularly the large ones, are trying to do," she said. "Given the breadth of systems impacted, the attack on Target appears to have been quite sophisticated."

Dr. Anton Chuvakin, research director, security and risk management at Gartner for Technical Professionals, said it is impossible to tell. "Anybody who claims that, 'if only they bought our stuff, or complied with our stuff, the breach would not have happened,' is likely not being 100% honest," he said.

[Passing PCI firewall audits: Top 5 checks for ongoing success]

"Specifically, we don't know whether they had anti-virus on the PoS devices and we don't know, but doubt, that the attackers needed physical access."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News