Merchant Account Payment Gatways
 |  |
The Biggest Flaw In The PCI DSS Security Regulations
Online security is taken more seriously today than ever before. In years gone by almost anyone could accept credit cards. If you were trusted enough to have a credit card, chances are you would be trusted enough to accept card payments.
As of April 2010 new regulations have become mandatory for all companies wanting to accept payments online, this is known as PCI DSS Compliance. To comply with the new regulations, even the smallest online companies have to be regulated by over 300 separate protocols, which range from how you handle the card data to how you host your servers. On top of this 'penetration testing' is required where your servers are scanned for over 3000 known vulnerabilities four times per year by an approved security standards council PCI scanning vendor.
The regulations and checks are one of the most daunting tasks facing new and old online companies who are now being forced to become compliant over the next few months. The sheer depth of knowledge required about server security and the regulations means that in the vast majority of cases, online companies will have to bring in expert knowledge and companies to handle PCI compliance for them.
However, despite all of the costs involved with becoming PCI Complainant your company could potentially still be leaving its customers vulnerable to a simple and easy method of having their card details stolen and the PCI DSS Compliance regulations do nothing to stop this easily rectifiable problem. When you enter your card details into a form, most browsers have the ability to remember the details you entered, you simply need to go back to the form and press the 'arrow down' key and you will be presented with a list of previous entries which you had entered in the past.
This is nothing to do with servers security, or 'man in the middle' attacks, nor how you companies staff should be regulated. Yet this simple and easy method of breaching the card security is totally overlooked in the 'extensive' PCI security standards regulations. To give you an example of this try some of the form input fields you see on the web, simply place your cursor into the box and press the 'arrow down key' where you will be presented with a list of past entries you have made on similar forms.
Just place cursor in box and press the down arrow :
Luckily there is a very easy solution to this problem yet the PCI security council totally neglects this security flaw while at the same time imposing highly technical aspects of security which in many cases could be considered a 'little over the top' (such as requiring video surveillance on servers storing card data). The rather steep PCI requirements are placing extremely high costs on vendors to become compliant yet the door is left wide open for any 'hacker' who knows how to use the 'arrow down key'!
The solution is simple: all sensitive card data which is sent using online forms such as credit card numbers, addresses, telephone numbers, CVV codes, login pages, etc. should employ the autocomplete='off' tag.
In your forms you would use it like so:
<form name="form1" id="form1" method="post" autocomplete="off" action="http://www.example.com/form.cgi"> [...] </form>
or
<input type='text' name='cardnumber' autocomplete='off'>
This overlooked security flaw is not mentioned anywhere in the 89 page document which comprises just the basic requirements for PCI compliance which instead focuses on over 300 other potential security risks all of which in reality would be unable to prevent a 'hacker' who knows how to push the 'down key' from obtaining and compromising your customers card details!