PCI-compliant networks are not enough to secure payment data, says expert

By Sooraj Shah
02 Mar 2012 View Comments
Security padlock image

The PCI DSS standard that major credit card companies such as Visa, MasterCard and American Express use to ensure that payments are secure is not enough to stop an attacker from retrieving card payment details, according to a security expert.

The warning comes from a report from security firm Kaspersky Lab's news service, Threatpost.

Further reading

Currently, organisations such as retailers that handle data of card payments are required by the major credit card companies to comply with the PCI DSS standard, but according to the report, the requirement does not guarantee the security of payment data.

The report said that Rob Havelt, director of penetration testing at PCI compliant solutions provider Trustwave's SpiderLabs believes that PCI-compliant networks are easy to attack because of other vulnerabilities in an organisation's network.

"It's not even just finding a vulnerability and throwing an exploit against it. There are things that people just do wrong that make it possible for an attacker to get in," he said.

Havelt said that if attackers really wanted card details from an organisation, they would start by using one of the common methods to find a way onto the network such as using custom malware, weak passwords or malicious attachments.

He said the attackers would then try to navigate onto the part of the network where the sensitive data is stored.

Havelt said that an opening part of the attack scenario could include an address resolution protocol (ARP)-spoofing attack, which is a technique where an attacker sends false address resolution protocol messages onto a local area network.

He said this would give the attacker access to some of the network's traffic, allowing them to understand the way the network operated and therefore locate where the sensitive data is stored.

"These things aren't new. It's 2012 and we still don't have ARP spoofing figured out. It's simple to do and it can be devastating," he said.

Reader comments
blog comments powered by Disqus
Newsletters
Is it time to open Windows?

Computing believes that Microsoft will start offering Windows free of charge by 2017. Is this a good thing for the enterprise?

56 %
15 %
7 %
20 %
2 %