As a collaborative standards-setting body, the Payment Card Industry Security Standards Council isn’t the sort of entity that generally attracts sharp dramatic criticism, particularly when that criticism is over a rule that’s more than two years old.
But execs at tech firms such as Oracle (ORCL) and governance, risk and compliance firm (GRC) Agiliance (AGIAP) are hopping mad at the PCI Council over its requirement that software vendors share detailed vulnerability data, in some cases before patches to fix that vulnerability have been released.
“If you share information that will allow hackers to exploit the vulnerabilities, that goes beyond the purpose of sharing,” says Torsten George, vice president of worldwide marketing and products for Agiliance.
George says that while the PCI Council should be lauded for trying to establish a vulnerability sharing environment that is meant to counter similar information sharing among cyber criminals, “mandating the disclosure of vulnerabilities before fixes and patches are available is a flawed approach. It sets up a situation where if leaked, this information would provide the blueprints attackers need to exploit these flaws. It's unfortunate that the PCI Council has taken this stance since PCI DSS is one of the IT industry's most advanced regulations. Unlike many other mandates that place an emphasis on compliance for compliance's sake, PCI DSS provides organizations with very detailed guidelines and is primarily security-driven. This well-intentioned attempt to mount collaboration efforts against hackers, should instead mandate vulnerability sharing after a fix is available."
George is instead advocating an approach of continuous assessments of software security and sharing of fixes to vulnerabilities, along with a closed loop of participants to protect against leaks that could be used by hackers, who have their own sharing forums. “[We’re in favor of] a monitoring approach instead of a compliance-driven approach,” he says. “I think when you look at a lot of the breaches and do a forensic analysis and a post mortem, you will see that the organization was compliant at the time they reported to the PCI council, but within weeks the compliance status had dropped...If you are scanning the environment consistently you are also automating the collection of security data and aggregating that and it shortens the time it takes to mitigate any type of vulnerability.”
George is joining Oracle CSO Mary Ann Davidson, who recently wrote a scathing blog about the policy. Oracle didn’t respond to requests for comment by mid-day Tuesday, but Davidson wrote “PCI requires vendors to disclose (dare we say “tell all?”) to PCI any known security vulnerabilities and associated security breaches involving VPAs ASAP. Think about the impact of that. PCI is asking a vendor to disclose to them specific details of security vulnerabilities, including exploit information or technical details of the vulnerability [and] whether or not there is any mitigation available (as in a patch).”
Davidson goes on to say that that insider information about security vulnerabilities inevitably leaks, “which is why most vendors closely hold such information and limit dissemination until a patch is available (and frequently limit dissemination of technical details even with the release of a patch). That’s the industry norm, not that PCI seems to realize or acknowledge that. Why would anybody release a bunch of highly technical exploit information to a cast of thousands, whose only “vetting” is that they are members of a PCI consortium?”
While it seems odd to suddenly criticize a rule that’s been in effect since 2010, the council recently asked for comment on the development of future standards, and Davidson contends Oracle has repeatedly asked the council to reconsider the policy.
And while it may also seem odd to criticize a policy that seems proactive on its face -- sharing vulnerabilities as early as possible -- the tech firms argue that being notified of details of a vulnerability before a patch is available doesn’t help other firms, because the workarounds required to mitigate pending vulnerabilities would likely harm some other part of that firm’s environment, and that a single workaround probably wouldn’t work for diverse software vendors.
“Once a patch becomes available, it’s important to push that out to everybody,” George says.
For its part, the PCI Security Standards Council didn’t address the tech firm’s criticisms directly, instead issuing a statement claiming the rules really aren’t new and that it “works diligently to maintain a listing of validated payments.”
While inviting feedback, the council said “recent media reports have incorrectly cited ‘new changes’ to the Council’s disclosure policy for vendors participating in its PA-DSS Payment Application Validation program. To avoid any confusion, there have been no changes to the Council’s policy since the PA-DSS program was launched, more than three years ago. The policy provides the Council with the requisite information and mechanism to act swiftly and appropriately when vulnerabilities are detected, thereby helping to ensure the security of application users and that applications identified on the Council’s List of Validated Payment Applications meet Council security requirements.”