[WEB SECURITY] MasterCard backs off Security, Leave Cardholders at Risk

auto471292 at hushmail.com auto471292 at hushmail.com
Tue Jun 6 11:44:55 EDT 2006

In July 2005, VISA and MasterCard began aggressively promoting the 
importance of web application security through the Payment Card 
Industry (PCI) Data Security Standard. To protect consumers, 
VISA/MasterCard updated the PCI standard to include web application 
security by 2006. However, in March 2006 something very troubling 
occurred-- MasterCard gutted the web application security portion 
of the standard, leaving millions of consumers vulnerable every 
time they shop, bank or otherwise expose personal data online. 
Visa and MasterCard require credit card merchants to implement PCI 
security best practices in order to safeguard cardholder 
information--the type of information which, if compromised, leads 
to fraud and identity theft. Merchants who fail to comply with PCI 
can face fines or exclusion from processing credit cards.  
Everyone, including the credit card brands, agrees that Web 
application security is a critical component of good overall 
security since most websites have serious security issues.  So why 
would they backpedal on their web application security requirements 
now, when web application attacks are on the rise? (1) (2)
In late 2005 MasterCard began (re)-certifying Scanning Vendors who 
verify that online merchants who accept credit cards are PCI 
compliant. Scanning Vendors who could demonstrate that they were 
able to find web application vulnerabilities in accordance with the 
OWASP Top Ten (3) (a minimum standard for web application security) 
passed the test and were recertified. Interestingly, many of the 
previously certified network scanning vendors simply couldn't pass 
the web application security portion. This is because the 
technology necessary to proficiently scan web applications for 
vulnerabilities is vastly different from the capabilities of the 
large and entrenched network scanning vendors. In response, 
MasterCard reduced the PCI standard so that the old guard could 
pass, stating in turn that it was the web application scanning 
tools that have inconsistent results.  Now only two of the ten 
recommended issues of the original "minimum standard" need to be 
tested for. (4)
In addition, many of the merchants claimed that the process of web 
application testing was too intrusive for them.  Experts in the 
field know that many times a scanner is no more intrusive than a 
regular user.   They also balked at the additional expense required 
for web application testing.  What about the expense and 
inconvenience that befalls a consumer whose identity is stolen?  
There must be some accountability for these online merchants and 
the credit card companies have to step up and stand behind the 
standards they impose.
Many in the industry feel that MasterCard caved to the pressure of 
the large security companies who did not or could not improve their 
security offerings to keep up with the latest web application 
security consumer threats and the influence of powerful online 
merchants. You would think MasterCard would want to ensure that 
cardholder data is protected by the highest of security standards. 
The real loser here is the consumer who remains at risk on just 
about every website that asks for their credit card number.
(1) A recent Symantec Internet Security Threat Report stated, "Of 
the vulnerabilities disclosed between July and December 2005, 69% 
were associated with Web applications.".
(2) Web App Hack Incidents Are Up As Businesses Take Cover
(3) The OWASP Top Ten provides a minimum standard for web 
application security.
(4) Changes to PCI Standard Testing Requirements 

Concerned about your privacy? Instantly send FREE secure email, no account required

Get the best prices on SSL certificates from Hushmail

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list