State of the PCI Union in 2012

The State of The PCI Union in 2012 is poor, very poor.

That is my conclusion after many months of observing, working with, and fighting against the PCI scanning companies that are trying to enforce PCI standards.

What we do

As a web host that caters to ecommerce clients, we deal with PCI issues and scanning companies every day. We see it all, and have to sort through it all to make sure our clients are PCI compliant.

We are on the front lines when it comes to addressing the thousands of issues that crop up after a PCI scan is complete. If the preceding sentence makes it sound like a battle, that wouldn’t be too far from the truth.

My verdictPCI security in 2012 is no better than in previous years. In some cases, it’s actually worse. I don’t feel it’s making things more secure.

The whole process seems to be taking valuable resources and time away from actually improving security by forcing key personnel to jump through hoops like a show dog to complete a scan.

Some specific “failures”

Security Metrics:

  • Previously (Spring 2011) said they would have a better false reporting system.

Verdict: Fail
Merchants and hosting providers still have to email details to get a false positive resolved. This is slow, many times requiring a few back-and-forths to get on the same page. Certainly not efficient.

  • Said they would standardize false reporting requirements.

Verdict: Fail
Depending on which support person answers the email, reasons required can range from a simple version output, to a request for full changelog over multiple years, to a screenshot of server settings.

  • Said they would come up with a better way to not report the same false positive every quarter

Verdict: Fail
The same issues crop up every quarter for our clients, requiring the same back-and-forth email exchanges, with the added bonus of sometimes requiring different proof for the same issue from previous quarters.

I don’t want to dog-pile on just Security Metrics though…

  • One smaller PCI scanning company requires that an image by submitted with *EVERY* response to a vulnerability, whether it makes sense or not. Their form will not allow you to submit it without uploading an image. Quite maddening, and often has me thinking up specific images I’d like them to see.
  • Many PCI vendors do not fully understand the scan results. In one case, the scanner was not detecting a valid certificate properly, and the PCI company did not understand this was the case. It took a week to get this one resolved. In another case, the expiration date was read incorrectly, and it took several back-and-forth responses to make them see this was the case.

The Mythical BEAST

Late last year a proof of concept attack on SSL termed the BEAST (Browser Exploit Against SS/TLS) surfaced. It is a valid way to break the security of SSL, although it requires very specific conditions and a whole slew of attempts to actually pull off.

I see it as an “in the weeds” type of attack, as it requires:

  • the server to support certain conditions (ciphers)
  • the browser to be vulnerable
  • requires the attacker to have “man in the middle” access on the same network, and
  • the attacker needs to know the destination website.

After all of this, the attacker can then guess one item in trying to crack the SSL cipher. As you can tell, it would take a lot of things to line up perfectly combined with a lot of time to actually pull this off.

PCI scanning companies like SecurityMetrics see this as a PCI failure. The fix?

They recommend only using one type of cipher, RC4. The drawback?

It drops the encryption level to 128 bits instead of 256. This actually reduces the security of SSL (granted RC4 with 128 bits is still quite secure), but in trying to justify their existence, scanning companies have reduced overall security instead of increasing it, all to satisfy a scan item that has less of a chance of working than me building the next space shuttle.

All in all, PCI scanning vendors, in my opinion, are not helping to make ecommerce more secure. They are wasting merchants and hosting companies time having to report endless false positives over and over each quarter, chase down obscure issues that are not realistic in terms of breaches, and are doing nothing whatsoever to help shore up the real attack vectors of hackers:

compromised PCs/laptops, malware, and easy to guess passwords.

But hey, they are making millions of dollars a month, and I guess have to justify this ridiculous cash-cow with miles of red tape.

photo credit

Looking for a web host that understands ecommerce and business hosting?
Check us out today!

Leave a Reply