Who needs standards like this?

Payment Card Industry (PCI) Data Security Standard is a interesting light reading. It incorporates all the best practices of running IT infrastructure securely, in condenced form.

And it’s a perfect illustration of what’s wrong with following the best practices blindly. Let’s see:

Firewalls are a key protection mechanism for any computer network. 

No they aren’t. Not the current generation of firewalls anyway. Lacking both identity and application awareness, and increasingly helpless in preventing security exposures, firewalls are more or less useless. Identity and access management systems are the key protection mechanism.

For wireless environments, change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords, and SNMP community strings. Disable SSID broadcasts.

SSID is a basic network identification mechanism and has nothing to do with security. You cannot hide SSID if the network is actually used. Security through obscurity is not real security – and in this case even obscurity isn’t achieved.

Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers).

This comes to an old argument: “If my web server is compromised, my database server is still safe”. Never mind that all users that use the Web server are compromised as well. Never mind virtualisation. You cannot avoid point of security failure – however many servers you will use for your setup, the threat models and overall risk will be roughly the same. Besides, as history shows us, running everything on a single mainframe is a valid approach to building systems.

Ensure that anti-virus programs are capable of detecting, removing, and protecting against other forms of malicious software, including spyware and adware.


And this is my favourite bit:

For wireless networks transmitting cardholder data, encrypt the transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:
• Use with a minimum 104-bit encryption key and 24 bit-initialization value
• Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or SSL/TLS
• Rotate shared WEP keys quarterly (or automatically if the technology permits)
• Rotate shared WEP keys whenever there are changes in personnel with access to keys
• Restrict access based on media access code (MAC) address.

Restriction of MAC address is useless, as MAC information is easily intercepted and forged; you cannot use WEP in conjunction with WPA or WPA2 (factual error); and using IPsec VPN, or SSL makes any WEP configuration redundant – so the whole paragraphe isn’t needed.

I can go on. The PCI DSS is full of clichés, unjustified requirements, and unjustifiable requirements. It also lacks detail where it might help. I’m pretty sure that TJX, the company that lost 45 million of the customers’ cards details, has successfully passed its PCI DSS audits – as it is required as a Level 1 merchant. Which highlights issues with both audits and the standard. It’s much better not to have a standard than to have a useless one.

Leave a Reply

Your email address will not be published. Required fields are marked *