Today, the PCI Council launched v2.0 of their 12 security requirements referred to as the Payment Card Industry Data Security Standard (PCI DSS).  The PCI DSS has enabled a common language for merchants, banks, hardware and software vendors, and payment processors to better protect cardholder data.

Since v1.2.1 came out in July 2009, custom malware has been on the rise, targeting organizations, users of a specific payment processing application and even high-profile individuals in the form of “whale phishing”.  According to the 2010 Verizon RISK Team’s Data Breach Investigations Report, malware contribute to 94% of records compromised and 97% of the 140+ million records were comprised by custom malware.  If custom malware has now become the most effective attack vector, why does the PCI Council continue to prescribe antivirus as the must have defense to meet PCI DSS requirement #5?

A More Proactive View
By comparison, the SANS-driven Consensus Audit Guidelines is a set of 20 Security Controls that has gained significant momentum over the past couple of years especially within the government sector.  The current CAG (v2.3) was released in November ‘09 and has gained traction as a guideline and best practice because it ranked the most common ways organizations get compromised, and prioritized the controls that would have the most significant impact.  The CAG does not prescribe a 20-year-old, antiquated technology to protect against today’s custom malware.  The CAG prescribes a proactive application whitelisting approach to address the onslaught of targeted attacks that are looking to steal intellectual property, extract military secrets, or establish remote command and control on the electrical grid.

Most organizations, subject to the PCI DSS, recognize the 12 requirements are a baseline to protect cardholder data.  These security professionals and their Qualified Security Assessors (QSAs), like SANS, should leverage application whitelisting to put an end to the most effective crimeware – custom malware.