[Owasp-singapore] PCI does not require end-to-end encryption within private networks??

Stephen Craig Evans stephencraig.evans at gmail.com
Mon Feb 2 05:18:37 EST 2009

Hi Onn Chee,

Good timing. I was at a customer's last week helping them prepare for PCI

"PCI's dirty little secret is that it doesn't mandate encryption inside a
private network because
then all the processors would have to encrypt."

PCI-DSS only says in "Requirement 4: Encrypt transmission of cardholder data
across open, public networks: Sensitive information must be encrypted during
transmission over networks that are easy and common for a hacker to
intercept, modify, and divert data while in transit.

Irrespective of PCI and pre-PCI, normal best practice requirement is that
any sensitive information minimally goes over SSLv3/TLS, which covers
Requirement 4 above.

You have to keep in mind that PCI-DSS is relatively new and that it will
mature over time. Presently, some parts might seem too generous - and
auditors are possibly generous too - but that will change over time and
requirements and oversight will become stricter.

PCI-DSS is not theoretically perfect at this point in time and gets quite a
bit of criticism, but it's a great start especially in Asia where there are
very few compliance requirements.

So this statement by the Gartner analyst - "Billions is being spent on PCI
compliance, but it isn't really working" - is just flat out wrong. Why would
he say that? Who knows but the motivation is unimportant in this discussion.

Just like IT security, PCI-DSS compliance is an ongoing process. Handling
confidential customer data is a big responsibility, and as PCI-DSS becomes
more mature, the penalties for non-compliance will become stricter; and as
auditors gain more experience, it will take more effort to comply. That's
why it is important to convey to the client (read: management) that it is a
continuous effort to improve.

I've read about 20 articles on the Heartland payment processor breach, and
this is about the best one technically:

It looks like a sniffer was installed internally, but to effectively have
pulled off the heist, a lot of things had to go wrong; e.g. (1) if SSL was
being used, then SSLv1 or SSLv2 was used, or the key length was too short so
the encryption could be broken; (2) it had to be tricky to send out the data
collected; (3) a server had to be breached with admin privileges.

Heartland had achieved PCI compliance for more than one year but at least 2
of the 12 security controls were not in place. The biggest violation IMHO
was not regularly monitoring the log files which I have seen on EVERY PCI
prep project that I have done in the last year; Heartland stated that the
illicit data collecting had been going on for about 6 months and doing
regular monitoring would have probably greatly minimized the damage.

I discuss PCI preparation a little bit in my OWASP podcast, plus software
security in APAC and Web Application Firewalls:
https://www.owasp.org/index.php/Podcast_2 (/shameless plug)

Best regards,

On Wed, Jan 28, 2009 at 1:28 PM, Wong Onn Chee <ocwong at usa.net> wrote:

> Hi folks,
> For those who are more familiar with PCI-DSS, are the claims below
> correct - that PCI-DSS does not require end-to-end encryption within
> private networks?
> http://www.networkworld.com/news/2009/012209-heartland-breach.html?hpg1=bn
> "Billions is being spent on PCI compliance, but it isn't really
> working," says Gartner analyst Avivah Litan. "PCI's dirty little secret
> is that it doesn't mandate encryption inside a private network because
> then all the processors would have to encrypt."
> Regards
> Onn Chee
> _______________________________________________
> Owasp-singapore mailing list
> Owasp-singapore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-singapore
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/owasp-singapore/attachments/20090202/cafc5bbb/attachment.html 

More information about the Owasp-singapore mailing list