|
List Info
Thread: MasterCard backs off Security, Leave Cardholders at Risk
|
|
| MasterCard backs off Security, Leave
Cardholders at Risk |
|
2006-06-07 01:24:42 |
auto471292 hushmail.com,
Your posting may or may not be be correct,unbiased, etc.
However, I can only attach *zero* credibility to e-mail from
what amounts to an anonymous sender.
Would you please identify yourself and let us know your
affiliation (or lack thereof) with one of Mastercard's
competitors?
Thank you,
Charles R. Morrow-Jones
Director, Security
Office of the CIO
The Ohio State University
morrow-jones.2osu.edu -or- 614.292.1302
----- Original Message -----
From: auto471292hushmail.com
Date: Tuesday, June 6, 2006 11:44 am
Subject: MasterCard backs off Security, Leave Cardholders at
Risk
> In July 2005, VISA and MasterCard began aggressively
promoting the
> importance of web application security through the
Payment Card
> Industry (PCI) Data Security Standard. To protect
consumers,
> VISA/MasterCard updated the PCI standard to include web
> application
> security by 2006. However, in March 2006 something very
troubling
> occurred-- MasterCard gutted the web application
security portion
> of the standard, leaving millions of consumers
vulnerable every
> time they shop, bank or otherwise expose personal data
online.
>
> Visa and MasterCard require credit card merchants to
implement PCI
> security best practices in order to safeguard
cardholder
> information--the type of information which, if
compromised, leads
> to fraud and identity theft. Merchants who fail to
comply with PCI
> can face fines or exclusion from processing credit
cards.
> Everyone, including the credit card brands, agrees that
Web
> application security is a critical component of good
overall
> security since most websites have serious security
issues. So why
> would they backpedal on their web application security
> requirements
> now, when web application attacks are on the rise? (1)
(2)
>
> In late 2005 MasterCard began (re)-certifying Scanning
Vendors who
> verify that online merchants who accept credit cards
are PCI
> compliant. Scanning Vendors who could demonstrate that
they were
> able to find web application vulnerabilities in
accordance with
> the
> OWASP Top Ten (3) (a minimum standard for web
application
> security)
> passed the test and were recertified. Interestingly,
many of the
> previously certified network scanning vendors simply
couldn't pass
> the web application security portion. This is because
the
> technology necessary to proficiently scan web
applications for
> vulnerabilities is vastly different from the
capabilities of the
> large and entrenched network scanning vendors. In
response,
> MasterCard reduced the PCI standard so that the old
guard could
> pass, stating in turn that it was the web application
scanning
> tools that have inconsistent results. Now only two of
the ten
> recommended issues of the original "minimum
standard" need to be
> tested for. (4)
>
> In addition, many of the merchants claimed that the
process of web
> application testing was too intrusive for them.
Experts in the
> field know that many times a scanner is no more
intrusive than a
> regular user. They also balked at the additional
expense
> required
> for web application testing. What about the expense
and
> inconvenience that befalls a consumer whose identity is
stolen?
> There must be some accountability for these online
merchants and
> the credit card companies have to step up and stand
behind the
> standards they impose.
>
> Many in the industry feel that MasterCard caved to the
pressure of
> the large security companies who did not or could not
improve
> their
> security offerings to keep up with the latest web
application
> security consumer threats and the influence of powerful
online
> merchants. You would think MasterCard would want to
ensure that
> cardholder data is protected by the highest of security
standards.
> The real loser here is the consumer who remains at risk
on just
> about every website that asks for their credit card
number.
>
> (1) A recent Symantec Internet Security Threat Report
stated, "Of
> the vulnerabilities disclosed between July and December
2005, 69%
> were associated with Web applications.".
>
> (2) Web App Hack Incidents Are Up As Businesses Take
Cover
> http://www.informationweek.com/industries/sh
owArticle.jhtml?articleI
> D=185300842
>
> (3) The OWASP Top Ten provides a minimum standard for
web
> application security.
> http://www.owasp.org/index.php/Category:OWASP_Top_T
en_Project
>
> (4) Changes to PCI Standard Testing Requirements
> http://www.securityfocus.com/archive/139/428796/30/
0/threaded
>
>
>
> Concerned about your privacy? Instantly send FREE
secure email, no
> account required
> http://www.hushmai
l.com/send?l=480
>
> Get the best prices on SSL certificates from Hushmail
> https://www.hushssl.com
?l=485
>
>
>
> --
> BEGIN-ANTISPAM-VOTING-LINKS
> ------------------------------------------------------
> Teach CanIt if this mail (ID 18154868) is spam:
> Spam:
> https://antispam.osu.edu/b.php?c=s&i=
18154868&m=3909fc1cba00Not
> spam: https://antispam.osu.edu/b.php?c=n&i=181
54868&m=3909fc1cba00
> Forget vote:
> https://antispam.osu.edu/b.php?c=f&am
p;i=18154868&m=3909fc1cba00-------
> -----------------------------------------------
> END-ANTISPAM-VOTING-LINKS
>
>
|
|
| MasterCard backs off Security, Leave
Cardholders at Risk |
|
2006-06-07 04:16:10 |
I completely agree with Charles. Also, provide any
references that
confirm this claim. The securityfocus link has no
credibility either,
since it is as anonymous.
Thanks
--
---------------------------------------------
Aman Raheja
Security+, Linux+ Certified.
http://www.techquotes.com
PGP Key http://www.tech
quotes.com/araheja.asc
---------------------------------------------
Charles R. Morrow-Jones wrote:
>auto471292hushmail.com,
>
>Your posting may or may not be be correct,unbiased, etc.
>
>However, I can only attach *zero* credibility to e-mail
from what amounts to an anonymous sender.
>
>Would you please identify yourself and let us know your
affiliation (or lack thereof) with one of Mastercard's
competitors?
>
>Thank you,
>
>Charles R. Morrow-Jones
>Director, Security
>Office of the CIO
>The Ohio State University
>morrow-jones.2osu.edu -or- 614.292.1302
>
>----- Original Message -----
>From: auto471292hushmail.com
>Date: Tuesday, June 6, 2006 11:44 am
>Subject: MasterCard backs off Security, Leave
Cardholders at Risk
>
>
>
>>In July 2005, VISA and MasterCard began aggressively
promoting the
>>importance of web application security through the
Payment Card
>>Industry (PCI) Data Security Standard. To protect
consumers,
>>VISA/MasterCard updated the PCI standard to include
web
>>application
>>security by 2006. However, in March 2006 something
very troubling
>>occurred-- MasterCard gutted the web application
security portion
>>of the standard, leaving millions of consumers
vulnerable every
>>time they shop, bank or otherwise expose personal
data online.
>>
>>Visa and MasterCard require credit card merchants to
implement PCI
>>security best practices in order to safeguard
cardholder
>>information--the type of information which, if
compromised, leads
>>to fraud and identity theft. Merchants who fail to
comply with PCI
>>can face fines or exclusion from processing credit
cards.
>>Everyone, including the credit card brands, agrees
that Web
>>application security is a critical component of good
overall
>>security since most websites have serious security
issues. So why
>>would they backpedal on their web application
security
>>requirements
>>now, when web application attacks are on the rise?
(1) (2)
>>
>>In late 2005 MasterCard began (re)-certifying
Scanning Vendors who
>>verify that online merchants who accept credit cards
are PCI
>>compliant. Scanning Vendors who could demonstrate
that they were
>>able to find web application vulnerabilities in
accordance with
>>the
>>OWASP Top Ten (3) (a minimum standard for web
application
>>security)
>>passed the test and were recertified. Interestingly,
many of the
>>previously certified network scanning vendors simply
couldn't pass
>>the web application security portion. This is
because the
>>technology necessary to proficiently scan web
applications for
>>vulnerabilities is vastly different from the
capabilities of the
>>large and entrenched network scanning vendors. In
response,
>>MasterCard reduced the PCI standard so that the old
guard could
>>pass, stating in turn that it was the web
application scanning
>>tools that have inconsistent results. Now only two
of the ten
>>recommended issues of the original "minimum
standard" need to be
>>tested for. (4)
>>
>>In addition, many of the merchants claimed that the
process of web
>>application testing was too intrusive for them.
Experts in the
>>field know that many times a scanner is no more
intrusive than a
>>regular user. They also balked at the additional
expense
>>required
>>for web application testing. What about the expense
and
>>inconvenience that befalls a consumer whose identity
is stolen?
>>There must be some accountability for these online
merchants and
>>the credit card companies have to step up and stand
behind the
>>standards they impose.
>>
>>Many in the industry feel that MasterCard caved to
the pressure of
>>the large security companies who did not or could
not improve
>>their
>>security offerings to keep up with the latest web
application
>>security consumer threats and the influence of
powerful online
>>merchants. You would think MasterCard would want to
ensure that
>>cardholder data is protected by the highest of
security standards.
>>The real loser here is the consumer who remains at
risk on just
>>about every website that asks for their credit card
number.
>>
>>(1) A recent Symantec Internet Security Threat
Report stated, "Of
>>the vulnerabilities disclosed between July and
December 2005, 69%
>>were associated with Web applications.".
>>
>>(2) Web App Hack Incidents Are Up As Businesses Take
Cover
>>http://www.informationweek.com/industries/sh
owArticle.jhtml?articleI
>>D=185300842
>>
>>(3) The OWASP Top Ten provides a minimum standard
for web
>>application security.
>>http://www.owasp.org/index.php/Category:OWASP_Top_T
en_Project
>>
>>(4) Changes to PCI Standard Testing Requirements
>>http://www.securityfocus.com/archive/139/428796/30/
0/threaded
>>
>>
>>
>>Concerned about your privacy? Instantly send FREE
secure email, no
>>account required
>>http://www.hushmai
l.com/send?l=480
>>
>>Get the best prices on SSL certificates from
Hushmail
>>https://www.hushssl.com
?l=485
>>
>>
>>
>>--
>>BEGIN-ANTISPAM-VOTING-LINKS
>>----------------------------------------------------
--
>>Teach CanIt if this mail (ID 18154868) is spam:
>>Spam:
>>https://antispam.osu.edu/b.php?c=s&i=
18154868&m=3909fc1cba00Not
>>spam: https://antispam.osu.edu/b.php?c=n&i=181
54868&m=3909fc1cba00
>>Forget vote:
>>https://antispam.osu.edu/b.php?c=f&am
p;i=18154868&m=3909fc1cba00-------
>>-----------------------------------------------
>>END-ANTISPAM-VOTING-LINKS
>>
>>
>>
>>
>
>
>
>
>
|
|
[1-2]
|
|