Retail Malware: PCI-DSS Is Part of the Problem, Says Retail Security Specialist Slava Gomzin Computing (08/07/14) Burton, Graeme Retail security expert Slava Gomzin warns the PCI Data Security Standard is increasingly ineffective at helping merchants prevent retail malware attacks that target the point of sale. He says such measures were designed and implemented to protect cardholder data stolen from hard drives, but they did not throw any significant controls around computer memory, network communications or application code, so these areas are still not protected. Gomzin notes most applications involving a card swiped at the POS leave the cardholder data readable in computer memory, and unencrypted. Moreover, this is compliant with PCI-DSS, he points out. Consultant Dave Birch sees investment in standards such as PCI-DSS coming to a close, especially because the PAN-[permanent account number] centric card solutions will soon be replaced by chip and PIN, tokenization and new [identity-centric] alternative mechanisms. Gomzin thinks chip-based cards are no more effective at shielding online payments against fraud than PCI-DSS, and what is required to fully secure POS systems is point-to-point encryption of card data. Birch, meanwhile, believes the payments industry should concentrate on making stolen data harder to exploit by rendering it useless.
Posted on: Thu, 07 Aug 2014 22:15:09 +0000