Thursday, March 20, 2008

Does The PCI Security Council Understand Security?

Ed Adams writes on StorefrontBacktalk:

The PCI Security Standards Council is made up of seemingly smart folks from the credit card brands and security industry. Unfortunately, this group of misfits is saddled with a myriad of competitive conflicts of interest and, worst of all, a complete misunderstanding of how to best protect card data and consumer identity.

The PCI DSS does an adequate job of defining audit procedures around policy, network segmentation, access controls, and perimeter defenses such as firewalls. It is woefully inadequate, however, in addressing the biggest risk to cardholder data: the application layer. Sure, there are some new requirements that are slated to take effect in June for web-facing applications, but those new requirements were rushed into the standard and obviously not well thought out.

More here.

0 Comments:

Post a Comment

<< Home