PCI-compliant networks are not enough to secure payment data, says expert

The PCI DSS standard that major credit card companies such as Visa, MasterCard and American Express use to ensure that payments are secure is not enough to stop an attacker from retrieving card payment details, according to a security expert.

The warning comes from a report from security firm Kaspersky Lab's news service, Threatpost.

Currently, organisations such as retailers that handle data of card payments are required by the major credit card companies to comply with the PCI DSS standard, but according to the report, the requirement does not guarantee the security of payment data.

The report said that Rob Havelt, director of penetration testing at PCI compliant solutions provider Trustwave's SpiderLabs believes that PCI-compliant networks are easy to attack because of other vulnerabilities in an organisation's network.

"It's not even just finding a vulnerability and throwing an exploit against it. There are things that people just do wrong that make it possible for an attacker to get in," he said.

Havelt said that if attackers really wanted card details from an organisation, they would start by using one of the common methods to find a way onto the network such as using custom malware, weak passwords or malicious attachments.

He said the attackers would then try to navigate onto the part of the network where the sensitive data is stored.

Havelt said that an opening part of the attack scenario could include an address resolution protocol (ARP)-spoofing attack, which is a technique where an attacker sends false address resolution protocol messages onto a local area network.

He said this would give the attacker access to some of the network's traffic, allowing them to understand the way the network operated and therefore locate where the sensitive data is stored.

"These things aren't new. It's 2012 and we still don't have ARP spoofing figured out. It's simple to do and it can be devastating," he said.