Digital Transactions Authoritative, insightful and timely information for payments professionals
In the wake of an unusual public outburst by a top security officer at software giant Oracle Corp., the Payment Card Industry (PCI) Security Standards Council issued a statement on Thursday to Digital Transactions News defending a little-known rule that requires vendors to disclose security holes in their software.
In reaction to the rule, Oracle chief security officer Mary Ann Davidson last week wrote an extended post on a company blog blasting the Council, which is charged with administering PCI, for forcing software vendors to divulge what in her view could be valuable information for criminals. The post, which also covered other matters, contains more than 1,500 words on the subject of the Council requirement.
The Council, Davidson charges, requires that vendors disclose not only “technical details” of vulnerabilities in their products, but also whether any “mitigation,” or patch, has been devised for the vulnerability. Such information, she says, could lead to data breaches before vendors have a chance to implement the fix. She says the information does not remain private with the Council, but rather is passed on to a wide range of entities, including “qualified security assessors (QSAs), and any affiliate or agent or adviser of those entities, who are in turn permitted to share it with their respective affiliates, agents, employees, contractors, merchants, processors, service providers and other business partners.” Such dissemination, she says, virtually guarantees the information will wind up in the wrong hands.
The Council requirement is related to a set of rules for payment-related software known as the Payment Application data-security standard (PA-DSS), which is part of PCI. According to Davidson, vendors whose products meet the standard must disclose the vulnerability information to have the products listed by the Council as compliant. The Council’s Web site catalogs compliant software products under the heading “Validated Payment Applications.” The products fall under one of two headings, “Acceptable for New Deployments” and “Acceptable Only for Pre-Existing Deploym ents.”
Redwood City, Calif.-based Oracle has three products listed in the latter category, which sets out applications whose validation has expired but can be used by clients that had installed the products before the expiration date. The expiration date for all three Oracle applications was March 2, 2011, according to the listings.
In its statement, the Council says only that vendors are required to disclose to it any information about vulnerabilities “that could jeopardize the security of third-party data.” It does not say to whom, if anyone, outside the Council this information is passed on. Nor does the Council say whether the disclosure must include information about whether a patch is available or in the works “The policy provides the Council with the requisite information and mechanism to act swiftly and appropriately when vulnerabilities are detected,” the statement says.
The Council also says the disclosure requirement is nothing new, despite Davidson’s claim in her post that the rule was adopted in August 2010. “To clarify, there have been no changes to the Council’s policy since the PA-DSS program was launched, more than three years ago,” the statement says.
Davidson, who couldn’t be reached for this story, says in her blog post that the Council has refused to respond to efforts by Oracle “among others” to get it to change its policy on vulnerability disclosure. She goes on to call on readers to express their concerns about the matter to the Council and to sign a “statement of concern” prepared by Oracle.
While it remains unclear who besides Davidson is concerned about the policy, at least some observers say she has a legitimate gripe. “In the effort to enhance payment security, this process as described has the potential to disseminate knowledge of unaddressed vulnerabilities, and actually make payment data more vulnerable until those vulnerabilities are addressed,” says Julie Conroy McNelley, a research director at Boston-based Aite Group LLC who follows data security, in an e-mail message.
McNelley also says Davidson’s effort to recruit support in her blog post might also have an impact. “The new reality of our socially-connected world means that one voice can soon be joined by a chorus, and has the ability to effect real change,” she says.
