Skip to content. | Skip to navigation

Sections

Personal tools

You are here: Home → wikidblog → More on PCI Security: Random Pen Testing

Recent entries: Two-factor for the cloud admin Aug 15, 2008; Debunking "Two-Factor Authentication Debunked by TSB Phish" admin Jul 02, 2008; New Howtoforge article - Postgresql admin Jul 02, 2008; World of Warcraft gets two-factor authentication - your bank won't follow admin Jul 01, 2008; Podwójne uwierzytelnianie admin Jun 10, 2008

Recent comments: Re:Security and Oil admin Apr 25, 2008; Re:Security and Oil Paul feet Apr 24, 2008; Re:100% open source admin Apr 22, 2008; Re:100% open source Adam Apr 22, 2008; Re:Capital Gains Tax Rates and Entrepreneurs Lance Oct 23, 2007

2007/03/06

More on PCI Security: Random Pen Testing

In thinking a bit more about PCI security since my post on PCI visibility. I think what Visa and Mastercard need to do is to hire independent 3rd party penetration testers to pen test merchants and processors.

The PCI Three are making a big switch in September, when they will start fining acquiring banks non-compliant merchants. However, there are two problems with the auditing procedures: Auditors are paid by the companies they are auditing and audits are static snapshots. I'm not insinuating anything here about the ethics of PCI auditors, just pointing out the agency conflict and that a company might get compliant for an audit, then lapse out of compliance.

Further, as I have mentioned before, I think that the PCI program may be too little too late to fend off regulatory action. I think that having auditors that are paid by Visa/Mastercard/Amex to pen test merchants and processors would keep merchants and processors on their toes. Obviously, the merchants and processors would have to give permission for random pen tests, but I think that issue can be forced. Doing this would eliminate the two problems noted above. The pen testers would not be paid by the target companies and the target companies would have no idea when they would be audited.

Category(s): Security and Economics; Phishing and Fraud; Information Security; PCI

The URL to Trackback this entry is:: http://www.wikidsystems.com/WiKIDBlog/more-on-pci-security-random-pen-testing/tbping

Add comment

You can add a comment by filling out the form below. Plain text formatting. Comments and Trackbacks are moderated.

Author (Required)

EMail (Required)

URL

Title (Required)

Comment (Required)

Remember your information on cookie?

Verification Code

This helps us prevent automated spamming.

Captcha Image

Categories: Security and Economics (78); Two Factor Authentication (126); Authentication Attacks (52); Phishing and Fraud (86); Miscellaneous (90); WiKID (62); Information Security (64); Strong Authentication (24); Open Source (32); Mutual Authentication (38); Transaction Authentication (11); Wireless, cellular, mobile devices (6); PCI (23)

Feeds and Bookmarks: Digg this!; Del.ico.us; Google; Yahoo bookmarks; Reddit; Spurl; Simpy

Start using WiKID today

Recent Changes: Two-factor for the cloud Aug 15, 2008; Installation Documentation Aug 15, 2008; How to install the WiKID Enterprise RPMs Aug 15, 2008; How to install the WiKID Strong Authentication Server - Enterprise Edition - Page 2 Jul 25, 2008; WiKID Quickstart Installation Cheatsheet - Version 3.x Jul 25, 2008; All recent changes…

Got Questions? Get Answers.