Browsers are a weak point in PCI compliance

Laurie Coffin notes that even bank-supplied card protection systems may not protect against internet security issues

Do you or your customers process credit card information via a web browser? If so, you're probably aware of the risks inherent in the use of web browsers, such as data loss, theft or leakage, malware and man-in-the-middle attacks.

There are many security policies aimed at helping organisations achieve PCI compliance but, even so, critical security holes remain.

PCI Requirement 3 mandates organisations must protect stored cardholder data, and this is generally done via encryption. However, the encrypted data is unencrypted when rendered in the browser on the end point and in use.

Data can remain in the web browser cache in clear text format, where it can be extracted by malware or end users. Even simple everyday tasks, such as cut, copy, paste and screen capture, put sensitive data in the system-wide clipboard, also rendered in clear text format and still accessible after the web session has ended.

In addition, stored usernames and passwords from browser sessions remain available in the authentication cache and vulnerable to malware.

Antivirus software or internet security apps are also a PCI requirement. I believe, however, that in a 2011 Banking Security Test report, MRG Effitas alleged that of 27 internet security products tested on Windows 32-bit and 64-bit machines, only a handful were effective against the Zeus botnet, for instance.

I believe they concluded that users should employ additional security measures on top of traditional antivirus or internet security suites. Compensating controls, such as securing the browser session, can provide additional protection, even when malware is present.

Maintaining and updating antivirus sounds simple, but many fail to keep on top of it. However, browser security delivered as part of the web application will ensure the latest controls are kept up to date.

The shift to web or cloud applications and services has created additional PCI compliance challenges. Requirement 6 states that organisations must develop and maintain secure systems and applications.

But demonstrating security controls built in an in-house application can be challenging, as many are legacy systems without comprehensive security controls.

Many organisations are also using web-based payment applications supplied by their bank to process transactions, which gives them no control over critical security updates and patches.

Building security into the application can be impractical, expensive or impossible. However, it is possible to build security into the browser session, something you do have control over.

Making the browser secure from local malware threats protects data from keyloggers, screen scraping and cache raiders.

Encrypting and deleting data written from the browser to the local cache, preventing cut, copy, paste, print and screen capture, and delivering this secure web browser protection as part of the application, closes many of the current security holes around meeting PCI requirements.

Laurie Coffin is vice president of marketing at Quarri Technologies