Please wait while the page is being loaded Skip this advertisement >
Tuesday | 2 December, 2008
CIO
PCI app security: Who's guarding the data bank?
Compliance strategies for PCI's new application security requirements
Ben Rothke and David Mundhenk (CSO Online) 13 October, 2008 11:09:00
Page:

While Willy Sutton never really said it, the truth is that people rob banks because that is where the money is. Today's criminals don't walk into banks with loaded guns and get-away drivers. Rather they connect from a remote location using a browser and are armed with hacking tools and spyware.

Where criminals of old targeted the teller behind the counter, today's attackers target banking and e-commerce applications. So, although the targeted infrastructure has changed, not much else has really changed from a threat perspective since Willy Sutton robbed banks. Ask a hacker "where is the money?" They will tell you: behind and within the poorly written and poorly protected banking and e-commerce software applications.

The list of threats and their calamitous consequences targeting banking and payment applications is seemingly endless. Identity theft, data leakage, phishing, SQL injection, worms, application Denial of Service (DoS) attacks, and botnets just scratch the surface, but these are the threats critical applications have to be secured against today. The big problem is that the number of threats as well as the number of applications that need to be secured are increasing on a regular basis.

PCI and Application Security

To date, the industry has given short-shrift to the needs of application security, and we all have paid for it with continuing data breaches. Consider this, Microsoft finally got serious about application security in 2002 with its Trustworthy Computing (TWC) initiative. TWC was an outcome of devastating attacks against Microsoft operating systems with worms such as Code Red and Nimda.

TWC was announced in an all-employee email from Microsoft head Bill Gates. He redirected all software development activities at Microsoft to include a full security review. Even with that directive it still took years to get to the point where Microsoft's code could start to be secure. How many merchants in the PCI space have their founders tell everyone to code securely and that they will stop all development until it is done? The point was, and is, that application security needs to be taken seriously and this means, investing the time, effort, and resources to do it right.

Application security is at the heart of the Payment Card Industry (PCI) security standards and requirements. In the last few years, data breaches have resulted in hundreds of millions of data records being compromised. In most of these cases, the firewalls worked, the encryption worked, the logging worked, but the application contained security holes which obviated much of the security. It's like barring the front doors to the bank and leaving a back window open.

So why has PCI started focusing on web and payment applications? For the very reason that these applications are the most obvious entry point for attackers to gain access to back-end databases containing huge amounts of credit card data.

Page:
Related Topics
(Security)
More About: pci standard
Additional Resources
Executive Guides
Whitepapers
white paper Read up on the latest ideas and technologies from companies that sell hardware, software and services.
Newsletter Subscription
Sign up for our CIO newsletters!
RSS Feeds
Featured Whitepaper Sponsors
  • White Paper
    Everything you need to know about email and web security (but were afraid to ask)
    What you don’t know can destroy your business. It’s hard to imagine modern business without the internet but in the last few years it has become fraught with danger. Read on to discover how internet security can give your business a competitive advantage.
  • White Paper
    Delivering the Power of Choice with Microsoft Dynamics CRM
    Join Ed Thompson, Research VP, featured analyst firm, Gartner, Inc., and Brad Wilson, General Manager CRM Microsoft Dynamics, for a new webcast, Delivering the Power of Choice with Microsoft Dynamics CRM, available now. Our panel will break down the best practices for getting the most out of CRM and you'll learn key recommendations you can implement in your organization. Additionally, you'll also hear Microsoft's vision for CRM.
  • White Paper
    Solve Exchange Mailbox Storage Issues Once and for All
    Join industry expert Bob Spurzem and Chuck Arconi of Fox Hollow to discover how to reduce Exchange total storage and keep it at a manageable level. Learn how Exchange storage growth can be contained without sacrificing security and accessibility.
Market Place
Learn how to prioritize services with IT Service Management (ITSM). Watch the Computerworld webinar now!
Understand the Value of Unified Communications | Download white paper now
New webcast | Discover the advantages of an open architecture multi-vendor network solution | View now
CRM Webcast: Learn how to find a CRM solution that fits into your existing business environment. Tune in now.
IDC Report | Making the Business Case for IT Consolidation | Download now
Discover why Ubiquitous Mobility is a key future component of Network Architecture | Download Forrester report now
IDC Report | IT Service Management Needs and Adoption Trends | Download now
Discover best practice strategies for the archival and removal of .PST files using email archiving
Learn to use EMC Celerra IP Storage with Vmware Infrastructure 3 over iSCSI and NFS | Download white paper now
Level the playing field. Report unlicensed software. $5000 reward. Contact the BSA today.
Discover best practice strategies for the archival and removal of .PST files using email archiving
 

Smart SOA World Tour

Discover how SOA can create smarter outcomes for your business.

Attend and learn:

  • How SOA is helping leading companies to become more agile
  • Where you should be applying SOA processes in your company
  • The top SOA implementation mistakes to avoid

Click here for more information.
  • +

    CIO Live Podcast #79: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires Part II 05 October, 2007 06:00:00

    For his new book, The Outsider's Edge: The Making of Self-Made Billionaires, social researcher Brent D Taylor spent four years of intensive research investigating the psychological make-up and backgrounds of some of the world's richest men and women, including IT luminaries Bill Gates, Larry Ellison and Steve Jobs. Taylor discovered that, despite working in different industries and coming from different upbringings, they all have one thing in common -- they are all outsiders.
    [ MP3 (7.32 MB) | Windows Media (5.67 MB) ]
  • +

    CIO Live Podcast #78: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires 28 September, 2007 17:34:25

    For his new book, The Outsider's Edge: The Making of Self-Made Billionaires, social researcher Brent D Taylor spent four years of intensive research investigating the psychological make-up and backgrounds of some of the world's richest men and women, including IT luminaries Bill Gates, Larry Ellison and Steve Jobs. Taylor discovered that, despite working in different industries and coming from different upbringings, they all have one thing in common -- they are all outsiders.
    [ MP3 (7.56 MB) | Windows Media (5.14 MB) ]
  • +

    CIO Live Podcast #77: Panasonic Speeds Up Trans-Pacific File Transfers, Part III 21 September, 2007 07:00:00

    Part three in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance.
    [ MP3 (4.90 MB) | Windows Media (4.40 MB) ]
  • +

    CIO Live Podcast #76: Panasonic Speeds Up Trans-Pacific File Transfers, Part II 14 September, 2007 07:00:00

    Part two in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance.
    [ MP3 (5.89 MB) | Windows Media (4.84 MB) ]
  • +

    CIO Live Podcast #75: Panasonic Speeds Up Trans-Pacific File Transfers, Part I 07 September, 2007 07:00:05

    Part one in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance.
    [ MP3 (6.41 MB) | Windows Media (5.13 MB) ]
  • +

    Excerpt: Counterterrorism Strategies for Corporations 27 November, 2008 12:36:00

    Mike Ackerman calls terrorism "the skunk at the globalization lawn party." His new book lays out 10 principles for how businesses can prepare and respond.
    Mike Ackerman calls terrorism "the skunk at the globalization lawn party." His new book lays out 10 principles for how businesses can prepare and respond.
  • +

    The 10 Ackerman Principles of Counterterrorism 27 November, 2008 12:43:00

    Consultant and author Mike Ackerman's 10 counterterrorism principles for business.
    Consultant and author Mike Ackerman's 10 counterterrorism principles for business.
  • +

    Survey: Despite Risks, Employees Still Holiday Shop at Work 27 November, 2008 10:02:00

    As Cyber Monday approaches, research suggests a majority of workers will use their work computer to shop this holiday season. But despite the continued growth in online shopping, employees and business still don't understand the risk
    As Cyber Monday approaches, research suggests a majority of workers will use their work computer to shop this holiday season. But despite the continued growth in online shopping, employees and business still don't understand the risk.
  • +

    Why Cybercrime is Thriving 27 November, 2008 11:52:00

    A new Symantec report reveals just how large and sophisticated the online underground economy has grown
    A new Symantec report reveals just how large and sophisticated the online underground economy has grown.
  • +

    Employee Safety in Global Hotspots 27 November, 2008 11:53:00

    What risks do employees face in a sour global economy? What countries pose a growing threat of kidnapping for ransom? Is Columbia safer than Mexico? Insights from a former FBI hostage negotiator.
    What risks do employees face in a sour global economy? What countries pose a growing threat of kidnapping for ransom? Is Columbia safer than Mexico? Insights from a former FBI hostage negotiator.
CIO Webcast Innovation #8 - What are the biggest roadblocks to IT's involvement in innovation at your company?
Watch the latest latest edition of CIO Innovation which is now available for download.
Watch the webcast
Sign up to the CIO Innovation update email


CIO Live Podcast #79: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires Part II
Listen to the latest edition of CIO Live which is now available for download.
Listen to the podcast
Sign up to the CIO Live email
Get a job Careerone
Whitepaper


Read Whitepaper

Gaining Competitive Advantage Through Enterprise Planning

No matter how good its products or innovative its services, no organization can perform to its full potential without an adequate planning structure in place. Discover how this can be done by reading on.