By June 30, retailers around the world need to be compliant with the Payment Card Industry (PCI) Data Security Standard ¿ the standard that unites MasterCard, Visa, American Express, Diners Club, Discover, and JCB in the increasingly rigorous and complex protection of consumers¿ financial data. A new report by Forrester Research, Inc. (NASDAQ: FORR) sets out why PCI¿s current system for compliance validation ¿ based largely on self-assessment ¿ is insufficient and may fail to uncover serious risks. At the same time Forrester urges retailers and banks not to treat this as ¿just another compliance program¿ but to up their compliance efforts to go beyond PCI¿s requirements ¿ in their own interest, as much as that of their customers.
On the topic of self-assessment, Ivan Remsik, Senior Analyst, Financial Services, at Forrester Research, states: ¿While PCI compliance validation is thoroughly defined for large service providers and insists on the involvement of external security specialists, merchants and smaller service providers can proclaim compliance based on the judgment of their own staff, which may fail to uncover serious information security weaknesses.¿.
Forrester has already pointed out these weaknesses in an earlier report by Remsik, ¿Secure Online Card Activation Isn¿t¿ (April). The main points from that report:
- Many financial services sites are not protected against cross-scripting (XSS). The XSS technique enables an attacker to overlay bogus content onto a poorly designed legitimate Web site. Many financial services firms ¿ including the most trusted ones ¿ have not taken adequate preventive measures to protect their online channels from attackers.
- Online shopping sites are highly susceptible and often defenseless. All Web applications that use dynamically generated pages (including ¿read-only¿ or ¿brochureware¿ pages) are vulnerable to XSS. A large proportion of Web retailers still employ aging IT solutions hurriedly written during the eCommerce boom and with little security or defense against hackers.
- SSL encryption does not prevent code injection. Web sites that use SSL are no better protected against XSS attacks than Web sites that are not encrypted, because hackers introduce the malicious script tags before the encrypted connection between the client and the legitimate server is established.
Banks Need To Strenghten Compliance Validation
In this most recent report, Forrester notes that PCI is only a minimum standard; MasterCard and Visa allow their member institutions to implement stricter classification criteria or more stringent compliance validation requirements.
To minimize risks, and to better protect themselves (and their customers) against security attacks, Forrester believes that retailers and banks should: engage certified information security specialists in all PCI security audits ¿ thus bringing in the required IT expertise and payment industry experience; request that internal auditors participate in all PCI self-assessments ¿ leveraging existing auditing procedures and techniques; and extend the scope of PCI self-assessments.
Remsik concludes: ¿Information security (or a lack of it) is not an area in which banks and retailers should try to save money or compete.¿
The research mentioned in this release, ¿Payment Card Security: Self-Assessment Is Not Enough¿ and ¿Secure Online Card Activation Isn¿t,¿ is available to Forrester WholeView 2¿ clients.