Regulation to mandate breach reporting necessary, but discretion needed

Regulation to mandate companies report security vulnerabilities and breaches to the Payment Card Industry Security Standard Council (PCI Council) is necessary to protect consumers and customer data, establish consistency in procedures, and help companies against cyberattacks. However, these standards must be updated according to the current threat landscape and organizations should be discreet about the data they submit, security watchers note.

In a blog posted in March, Oracle's chief security officer, Mary Ann Davison, expressed her objection to the PA DSS mandate that requires all software vendors to submit detailed technical information and exploit details on any security flaws in their products to the Payment Card Industry Security Standard Council (PCI Council), noting that this puts vendors and customers at risk.

Established by the council three years ago, the PA DSS is a set of baseline security standards for payment application software that requires all developers of payment applications to implement specific security controls in their products, and to submit the data to the PCI Council for periodic security assessments.

Gerry Chng, advisory services partner of Ernst & Young, however, disagreed with Davidson's view.

He said the security practices established by the PCI Council put in place basic controls vendors of payment applications and merchants processing cardholder data should adopt. The PA DSS also creates awareness of what vendors and merchants must do to safeguard the security of cardholder data stored within the organization, as well as data processed by the payment application or during transit over the network, Chng explained.

Regardless of an organization's maturity with respect to IT security, the standards serve as a baseline to protect cardholder data and drive consistency in handling such data, he noted.

"The PCI security standards are not intended to be the be-all and end-all for security controls," Chng said. "A good security regime is one where compliance is a result of good security posture, not where compliance is an indication of good security practice."

According to Tom Kellermann, cybersecurity vice president at Trend Micro, many companies also may not necessarily be adequately prepared to deal with threats today, which is why PA DSS is relevant.

While the overall incident response capabilities for organizations have improved, Kellermann said attacks are increasingly complex, targeting and compromising both consumers and Web applications.

Reporting within PA DSS is fundamental because, without it, there will be a "serious governance issue" and the risks inherent to infrastructure will not be accessed adequately, he warned.

Aliza Shima Mohammad Kasim, ICT Practice industry analyst at Frost & Sullivan, also agreed the reporting within PA DSS is useful and beneficial for organizations to be well-informed of the vulnerabilities and subsequently to protect customers' interests and rights.

With regard to submitting periodic reports to the PCI Council, she surmised this may be necessary to establish some level of control to keep security levels at its peak.

Organizations should be discriminating about data
Chng warned, though, it is also not beneficial to the industry if detailed exploit information is disclosed as this allows hacker groups to reengineer the vulnerability and develop a working exploit.

Companies should take note to release just enough data to allow consumers to identify they are at risk as well as outline steps they can take to protect themselves, without revealing too much information, he noted.

Mark Bower, vice president of Voltage Security, remarked organizations can also reduce further risk by not reporting details of cardholder data and using data-centric security technologies that operate outside the applications and databases.

"This solves the problem of compliance costs, and reduces the risk of data breaches by making sensitive data useless and taking 'at-risk' companies off the attacks' radar," Bower explained. "Organizations can reduce the challenge to as near as nothing, and this is a win for vendors, merchants and processors."

Visa and MasterCard declined to respond when approached for their comments on the PA DSS.