[WEB SECURITY] MasterCard backs off Security, Leave Cardholders at Risk

sarah mann little_alpaca at hotmail.com
Tue Jun 6 18:34:05 EDT 2006

Sounds to me like these are rumours at the moment - I can't find any 
official announcement and the manual on the mastercard site is still the 
March 2005 one that requires vendors to detect the 10 most widespread 
application vulnerabilities and configuration issues as detailed by OWASP.

It is reported that Tom Maxwell, a director of advanced payment systems at 
MasterCard talked about proposed updates at May 15 security conference in 
San Francisco hosted by Qualys:
"The proposed update includes a requirement to, by mid-2008, scan payment 
software for vulnerabilities."
Although, it was my understanding that this was already a requirement for 
certification in the March 2005 manual.
https://sdp.mastercardintl.com/pdf/srv_entire_manual.pdf - see section 2-8 
of this 2005 manual.

A report in infoworld of the conference reports a little more, but the 
detail comes from Qualys not Mastercard
"As of June, merchants will need to prove that they have scanned their 
networks for evidence of SQL injection and Cross Site Scripting 
vulnerabilities, two of the most commonly exploited application holes. The 
requirement will include comprehensive application vulnerability scans by 
2008, according to Philippe Courtot, CEO of Qualys.

is an article that actually proclaims to have the revisions, which reduce 
the requirement to detection of:
1. unvalidated parameters that lead to SQL injection attacks
2. cross-site scripting (XSS) flaws

But as far as I can make out, this is an unsubstantiated report.

Clear as mud as usual.

-----Original Message-----
From: robert at webappsec.org [mailto:robert at webappsec.org]
Sent: 06 June 2006 19:31
To: websecurity at webappsec.org
Subject: RE: [WEB SECURITY] MasterCard backs off Security, Leave Cardholders 
at Risk

Could you please provide some real urls other than user posts to 
securityfocus? I'm sure many people
on this list would be interested in reading more about this from an official 
news source somewhere.


- Robert A.
Co-Founder The Web Application Security Consortium
http://www.cgisecurity.com/ Website Security News, and More
http://www.cgisecurity.com/index.rss [RSS Feed]

The Web Security Mailing List

The Web Security Mailing List Archives

-----Original Message-----
From: auto471292 at hushmail.com [mailto:auto471292 at hushmail.com]
Sent: 06 June 2006 16:45
To: websecurity at webappsec.org
Subject: [WEB SECURITY] MasterCard backs off Security, Leave Cardholders at 

In July 2005, VISA and MasterCard began aggressively promoting the
importance of web application security through the Payment Card
Industry (PCI) Data Security Standard. To protect consumers,
VISA/MasterCard updated the PCI standard to include web application
security by 2006. However, in March 2006 something very troubling
occurred-- MasterCard gutted the web application security portion
of the standard, leaving millions of consumers vulnerable every
time they shop, bank or otherwise expose personal data online.

Visa and MasterCard require credit card merchants to implement PCI
security best practices in order to safeguard cardholder
information--the type of information which, if compromised, leads
to fraud and identity theft. Merchants who fail to comply with PCI
can face fines or exclusion from processing credit cards.
Everyone, including the credit card brands, agrees that Web
application security is a critical component of good overall
security since most websites have serious security issues.  So why
would they backpedal on their web application security requirements
now, when web application attacks are on the rise? (1) (2)

In late 2005 MasterCard began (re)-certifying Scanning Vendors who
verify that online merchants who accept credit cards are PCI
compliant. Scanning Vendors who could demonstrate that they were
able to find web application vulnerabilities in accordance with the
OWASP Top Ten (3) (a minimum standard for web application security)
passed the test and were recertified. Interestingly, many of the
previously certified network scanning vendors simply couldn't pass
the web application security portion. This is because the
technology necessary to proficiently scan web applications for
vulnerabilities is vastly different from the capabilities of the
large and entrenched network scanning vendors. In response,
MasterCard reduced the PCI standard so that the old guard could
pass, stating in turn that it was the web application scanning
tools that have inconsistent results.  Now only two of the ten
recommended issues of the original "minimum standard" need to be
tested for. (4)

In addition, many of the merchants claimed that the process of web
application testing was too intrusive for them.  Experts in the
field know that many times a scanner is no more intrusive than a
regular user.   They also balked at the additional expense required
for web application testing.  What about the expense and
inconvenience that befalls a consumer whose identity is stolen?
There must be some accountability for these online merchants and
the credit card companies have to step up and stand behind the
standards they impose.

Many in the industry feel that MasterCard caved to the pressure of
the large security companies who did not or could not improve their
security offerings to keep up with the latest web application
security consumer threats and the influence of powerful online
merchants. You would think MasterCard would want to ensure that
cardholder data is protected by the highest of security standards.
The real loser here is the consumer who remains at risk on just
about every website that asks for their credit card number.

(1) A recent Symantec Internet Security Threat Report stated, "Of
the vulnerabilities disclosed between July and December 2005, 69%
were associated with Web applications.".

(2) Web App Hack Incidents Are Up As Businesses Take Cover

(3) The OWASP Top Ten provides a minimum standard for web
application security.

(4) Changes to PCI Standard Testing Requirements

Concerned about your privacy? Instantly send FREE secure email, no account 

Get the best prices on SSL certificates from Hushmail

The Web Security Mailing List

The Web Security Mailing List Archives

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list