Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

PCI app security: Who's guarding the data bank?

Compliance strategies for PCI's new application security requirements
Page:

While Willy Sutton never really said it, the truth is that people rob banks because that is where the money is. Today's criminals don't walk into banks with loaded guns and get-away drivers. Rather they connect from a remote location using a browser and are armed with hacking tools and spyware.

Where criminals of old targeted the teller behind the counter, today's attackers target banking and e-commerce applications. So, although the targeted infrastructure has changed, not much else has really changed from a threat perspective since Willy Sutton robbed banks. Ask a hacker "where is the money?" They will tell you: behind and within the poorly written and poorly protected banking and e-commerce software applications.

The list of threats and their calamitous consequences targeting banking and payment applications is seemingly endless. Identity theft, data leakage, phishing, SQL injection, worms, application Denial of Service (DoS) attacks, and botnets just scratch the surface, but these are the threats critical applications have to be secured against today. The big problem is that the number of threats as well as the number of applications that need to be secured are increasing on a regular basis.

PCI and Application Security

To date, the industry has given short-shrift to the needs of application security, and we all have paid for it with continuing data breaches. Consider this, Microsoft finally got serious about application security in 2002 with its Trustworthy Computing (TWC) initiative. TWC was an outcome of devastating attacks against Microsoft operating systems with worms such as Code Red and Nimda.

TWC was announced in an all-employee email from Microsoft head Bill Gates. He redirected all software development activities at Microsoft to include a full security review. Even with that directive it still took years to get to the point where Microsoft's code could start to be secure. How many merchants in the PCI space have their founders tell everyone to code securely and that they will stop all development until it is done? The point was, and is, that application security needs to be taken seriously and this means, investing the time, effort, and resources to do it right.

Application security is at the heart of the Payment Card Industry (PCI) security standards and requirements. In the last few years, data breaches have resulted in hundreds of millions of data records being compromised. In most of these cases, the firewalls worked, the encryption worked, the logging worked, but the application contained security holes which obviated much of the security. It's like barring the front doors to the bank and leaving a back window open.

So why has PCI started focusing on web and payment applications? For the very reason that these applications are the most obvious entry point for attackers to gain access to back-end databases containing huge amounts of credit card data.

Page:

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: pci standard
Latest Blog Posts
Whitepapers
  • Achieve Business and Environmental Goals
    HP Web Jetadmin software offers business intelligence capabilities, as part of the Database Connectivity Module, that help IT managers assess printing behaviors and lower their organization’s environmental footprint. HP Eco Solutions reports enable measurement of environmentally relevant capabilities, settings and use patterns. IT can use the results to spotlight opportunities to decrease energy and paper consumption—for a printer, group of printers or an entire fleet. Read more.
    Learn more »
  • Oracle x86 Rack Servers Optimized for Rapid Deployments and Operational Efficiency
    Business-critical and mission-critical workloads — demanding applications and databases — require stable and secure environments. When these types of workloads are deployed on x86 servers, the need to ensure business continuity, maximum uptime, and consistent processing means that IT managers and business unit managers are looking at enterprise x86 servers in a new way: They realize that the business depends on these servers and that x86 server platforms for the enterprise are no longer expendable, as they might have been when servers were dedicated to a single application — or when they were deployed as small Web servers that could be easily taken offline and replaced.
    Learn more »
  • OVUM Report: Governance Risk and Compliance-- GRC usage and buying trends in the ANZ markets
    The existence of an established and stable governance risk and compliance strategy is extremely important to public and private sector organisations as they strive to meet an evergrowing range of regulatory demands. Given the current constraints, it is one of the few areas where the vast majority of organisations intend to either maintain or in many cases increase spending. Read more.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.