PCI standard 'ignores' insider threat

By

New measures implemented in section 6.6 of the PCI standard, do nothing to address the threat of insiders.

PCI standard 'ignores' insider threat
New measures implemented in section 6.6 of the Payment Card Industry (PCI) standard, which come into force on 30 June, do nothing to address the threat of insiders, according to a database security firm.

The updates require that companies dealing with stored credit card and other consumer financial data either install firewalls around all internet-facing applications or have all customer application code reviewed for common vulnerabilities.

However, Secerno warned that, although this is a useful step in ensuring that information remains as safe as possible, its focus on the perimeter fails to provide any safety provisions against the threat of insider breaches and theft of data.

"The PCI Data Security Standard has the best intentions but, as is the case with many compliance directives, it barely addresses the most immediate and upcoming threats to consumer data," said Paul Davie, founder of Secerno.

"PCI was historically written for e-commerce rather than general retailers where breaches have actually been taking place.

"It is generally inadequate for addressing the sort of internal threat that can be exploited easily, such as by general or privileged users."

The insider threat can be anything from employees with financial or other motives to obtain and sell data, or criminals who infiltrate an organisation with the sole intention of stealing information.

"The standard says nothing about any malware other than viruses, and nothing about encrypting internal data," said Davie.

"It says nothing about protecting data on private networks and it says nothing about securing the database. Unfortunately, the internal threat is PCI's blind spot."

Davie believes that the retail industry needs to make sure that it protects data at the source in order to secure sensitive customer information against internal and external threats.
Got a news tip for our journalists? Share it with us anonymously here.
Copyright ©v3.co.uk
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Log In

  |  Forgot your password?