This is page 2 of:
Forgotten Apps Pose PCI Danger, Visa List Shows
The list is not directly shared with retailers (at least Visa doesn’t), but acquirers are permitted to share the information with retailers. Why not share the full list with retailers so they have the best information? The security argument falls flat, because it’s not a list of merchants at which the old apps are still used. Surely, the benefit to the community’s security is advanced more by making it easier for retailers to rid their systems of these troublesome relics.
Apps on the list don’t necessarily consistently retain prohibited data. Here’s the exact wording from the document: “product version that may retain sensitive authentication data.” However, one person who works with Visa said the list includes either apps known to retain prohibited data or apps that were involved in a data breach.
Yes, there is a slight risk of cyberthieves searching for the riskier versions in retail systems. It’s not much of a concern, however, because of the effort-to-benefit ratio. But if that’s a real security issue, then Visa’s publishing an approved list that says “version 5.2 and above is compliant” pretty much telegraphs to the bad buys what they need to seek. In short, it’s a problem regardless of whether the Bad Apps list is disclosed.
The list is also not necessarily 100 percent accurate. One app on the list, for example, is osCommerce 2.1. It seems to be the only open-source application on the list, and it is also the only item on the list that mentions neither a patch nor a certified version. But the list gives January 2008 as the date the product was either published or updated, even though 2.1 was replaced by 2.2 seven years ago (back in 2003), according to Kym Romanets. Romanets is the CEO of OzeWorks, the company that has commercialized the open-source osCommerce.(See Frank Hayes’ column, Why Open Source Drives PCI Nuts)
Beyond the date, Romanets said she disagrees that even the older version of the app retains prohibited data, although she added that one part of the program might have confused Visa into thinking it did.
“The only area that Visa might have issue with was the provision of a demonstration payment module, which did store credit card details in the database and was not PCI compliant because it was not meant to be,” Romanets said. “It was for demonstration purposes and clearly marked ‘Not For Production Use.’ osCommerce has removed this module and it is not available in the current MS2.2 RC2a download.”
Given the existence of patches for many of these versions, the discovery of a version number on the Bad Apps list doesn’t necessarily mean it’s a problem. But upgrading or replacing that version is probably not a bad idea. After all, it can be hard to quickly determine whether a patch had indeed been applied. It seems simpler to just upgrade the whole app.
Here is Visa’s Bad Apps Version list, as of June 2, 2010:
- ACI Worldwide. OpeN/2. All versions prior to V6.2.
- Affiliated Computer Services. WebPRCS. All versions prior to V7.0.
Omnimatic V3.1, 2.1.
PRCS-TIM. All versions prior to V4.0.
PRCS-PC. All versions prior to 6.1.
-Marc
June 10th, 2010 at 11:43 am
I have no idea the reason Visa or PCI SSC does not publicly post this list. I have two guesses: 1) legal reasons — Visa is affraid they’ll be sued for libel? or 2) security reasons like you mentioned — but hackers have a better network for distributing this information and most likely already know these vulnerable apps and many more.
*The asterisks next to the various Micros versions indicate that there are secure third party drivers that can bring them into compliance.
July 1st, 2010 at 7:08 pm
It’s logical not to publish the list, although I would personally benefit from its publication.
Two of my competitors are on the list, but the systems listed are very old. Many consumers would look at the brand name and just reject them as potential choices to be on the safe side. VISA doesn’t want it list to be a kiss of death for an established brand.