I just read the article “Does PCI compliance work” (at http://www.ciozone.com/index.php/Blogs/view/2668/.html) and decided to blog this instead of adding it as a discussion to that article. The article discusses “purpose and usefulness of PCI DSS and other similar regulations”
There is discussion about the fact that the company, Heartland Payments Systems has suffered a massive data breach of credit card numbers even though it has PCI DSS compliance. This discussion is more about PCI DSS and security in general.
PCI DSS protects data at rest - meaning the credit card data is protected (encrypted) while it is stored in databases or files, but does nothing to protect data in motion (being processed before it is stored).
While the method used to steal the data has not been disclosed, using technologies like PHP or JSP in the wrong way for a web site allows malicious users who gain access to the server to alter the code of the webpage. This allows them to inject their own code to capture any data that is being requested. This type of attack renders protection of data at rest useless. Code signing is one method to ensure the code running your site has not been tampered with.
PCI DSS is only part of a security solution. As Heartland found out to their detriment there can still be breaches. A security development life cycle and an understanding of security are mandatory when developing applications dealing with private or financial data. Security must be a requirement for web sites. Ignorance is not an excuse – anyone setting up a website should have a basic awareness of security – or contract someone who does.
Luckily the breach notice states PIN, SSN and other personally identifiable information was not involved. This highlights another major security subject – do not ask for information you don’t need. I once had to complete online OH&S training for a consultancy contract. The outsourced provider asked for my residency status, passport number, driver's license info, and other unnecessary information. I refused to fill in the information or do the training. While this data was not mandatory it did not indicate what fields were mandatory and which were not. It was being requested by some outsourced company for which I didn’t want to use in the first place but had a requirement to use. There was no need for them to store the information, it could not help me or the hiring company, and in my opinion was identity theft waiting to happen.
Consumers need to be more aware of what data they are providing where and refuse to give details not relevant to the immediate need.