Mastercard abandon's PCI security standard

The two largest credit card companies in the world, Visa and MasterCard, created a standard to enforce security on all merchants that allow for payments via visa or MasterCard. In March of this year, MasterCard removed almost all of the requirements for web application security so that it is easier to allow merchants to sign up with them. In doing this, they have dropped quality in exchange for allowing lower qualified merchants to use their service. Part of the reasoning behind this seems to have come from the inability of the current tools they are using to properly assess web application vulnerabilities. MasterCard’s solution is to only require that SQL Injection and Cross-site scripting are checked for while leaving many potential vulnerabilities to be exploited by attackers.

Most scanners being used for these kinds of checks are not equipped to handle web applications. While, many of them do have checks for SQL injection and Cross-site scripting, they are static checks that are sent blindly in the hope of maybe exploiting an application. Due to the new changes in the Payment Card Industry security standard, these scanners do enough to allow a vulnerable merchant to be considered compliant and secure. There are still a number of vulnerabilities that could exist on the web applications including SQL injection and Cross-site scripting. Unfortunately, the merchants won’t be checked thoroughly without using a web application scanner like WebInspect.

WebInspect differs from a lot of the other scanners in the way it works because of our new “intelligent” engines. WebInspect no longer just sends blind attacks in the hopes of hitting something, but it finds all possible parameters and audits them with specially crafted attacks. SPI Labs is very proud of this new technology because it is allowing WebInspect to function more like a human in the way it can create attacks and determine if an application is vulnerable. With WebInspect, all merchants for MasterCard and Visa would be able to have the assurance that their sites are secure enough to credit card data so that you and I don’t have to worry about Identity Theft. The first of these “intelligent” engines will be coming out this month in the 6.0 release.