Love it or hate it, the PCI DSS standard was the first to outline clear, tactical steps to secure credit card data. As a result, it clarified the role and relevance of IT Security, and enlightened the C-suite on the budgetary requirements for maintaining core security functions. Long story short, it has helped to prioritize and operationalize IT security in a way that would likely not have occurred otherwise.
However, the recent barrage of publicized attacks on retail businesses – (Target, Home Depot, eBay to name a few), has underscored the reality that despite ongoing efforts to keep the standard current, it could benefit from a more rigorous review.
Case in point: a recent bulletin from the Payment Card Industry (PCI) standards body to retailers regarding advanced malware. It encourages merchants to contact their AV provider to ensure their software detects [insert malware name here]”
The problem with this bulletin is that while well meaning, it is a band-aid, addressing a symptom of a bigger problem – that defending against advanced malware requires major shifts in defensive tools and tactics. While the bulletin goes on to suggest additional actions that relate to various parts of the standard, there is no mention of state-of-the-art technologies that offer a much more direct and effective approach– and there should be.
Now consider how much cybercrime has advanced. Advanced malware is more than the latest threat du jour – it is reflects a level of intent, technical sophistication and superior execution that simply hasn’t existed until now. Given the emergence of advanced malware detection solutions designed to identify these threats, it is about time the PCI DSS is revised to include advanced malware detection solutions.
Of course this is somewhat self-serving, given I am VP of Products for Cyphort, a company that makes an advanced threat detection solution specifically focused on identifying advanced malware as it crosses the network. No doubt about it, my company stands to gain from such a revision.
But, I am also a consumer and am continually personally inconvenienced by these breeches. And as a security professional, I have experienced the FUD and confusion that ensues when breaches occur at companies that were purportedly PCI complaint.
As the first “prescriptive” mandate, PCI helped to bridge the gap between compliance and security. However, any company deemed “compliant” with PCI at a given point in time can easily fall out of compliance, which is why constant vigilance is required. That vigilance should include keeping up with the state Cybercrime, and recognize the state-of –the-art for defending against savvy criminals with sophisticated tools.
As the cloud, virtualization, BYOD, SDN, and other technology trends evolve, so do their associated risks. Lord knows the bad guys are adapting accordingly –so should we. While our industry has certainly benefitted from the PCI DSS, for it to remain relevant it needs to evolve in lockstep with reality.
Cyphort is innovative provider of Advanced Threat Protection solutions that deliver a complete defense against current and emerging Advanced Persistent Threats, targeted attacks and zero day vulnerabilities. The Cyphort Platform accurately detects and analyzes next generation malware, providing actionable, contextual intelligence that enables security teams to respond to attacks faster, more effectively, and in as surgical a manner as their attackers. Cyphort’s software-based, distributed architecture offers a cost effective, high performance approach to detecting and protecting an organization’s virtual, physical and cloud infrastructure against sophisticated attacks. Malware detection for Windows, OSX and Linux allows businesses to extract maximum value from IT assets without compromising the security of an organization. Founded by experts in advanced threats from government intelligence agencies and premier network security companies, Cyphort is a privately held company headquartered in San Jose, California. For more information, please visit: www.cyphort.com.