Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Jeff Hussey
Jeff Hussey
Connect Directly
E-Mail vvv

Is Your Organization Merely PCI-Compliant or Is It Actually Secure?

The Host Identity Protocol might be the answer to inadequate check-the-box security standards.

Can you hear the clock ticking? It's the countdown to June 30, 2018, the deadline for all merchants to migrate their payment card-related operations to comply with version 3.2 of the Payment Card Industry Data Security Standard (PCI DSS v 3.2). But what does that really mean?

Does it mean consumers will be able to hand out their credit cards to every food truck, t-shirt vendor, and street musician across the world and expect complete security?

Does it mean that hackers, bad actors, and all other cybercriminals will be rendered useless and forced to change from a life of cybercrime into a new life of altruistic intent?

Does it mean that the news broadcasts won't be inundated with stories of massive data breaches from retailers and government organizations?

The answer to all those questions is no, not really … actually, not at all. The most recent data security standard for credit card payment systems merely ensures compliance but not necessarily security. In fact, industry compliance and actual security are very different things. This isn't acceptable — the world must strive for compliance and security.

Compliant but Still Vulnerable
Although ensuring that all payment card systems are up to standard is a step in the right direction, it's not foolproof. Consider these recent incidents of PCI-compliant entities that were still breached:


Year of Attack

Method of Attack












XSS cookies stealing and hijacking






Broken encryption

As you can see, attacks are still effective at striking PCI-compliant entities. Better security is still needed to prevent intrusions into your organization's credit card information. Compliance standards usually mean just checking off the right boxes on a self-assessment checklist and periodically sending in screenshots of random encrypted values to "validate" those responses.

If only security were that easy. People with malicious intent want to expose any loophole within your system, regardless of PCI compliance. Realistically, compliance means only that your systems are updated to a level deemed as acceptable by the given standard. But cybercriminals are operating far past the level of acceptable or standard. They only have to find one weak link in a chain of otherwise acceptable practices. Your payment card systems may look good to the "standard" observer, but the advanced hacker may see numerous opportunities for access, and it takes only one.

The Problem with Address-Defined Networking
The problem stems from the way we've been networking our devices ever since the 1970s. Unfortunately, traditional, address-defined networking can achieve total compliance while continuing to be irresponsibly susceptible to many critical security issues. The weak link lies within its architecture, where an IP address serves as both a machine's location and its identity.

IP addresses are vulnerable to attack because they are "spoofable." That is, a hacker can gain access to your PCI systems by pretending to come from a valid IP address. It's akin to the virtual version of identity theft. Once they gain this unauthorized access, they're free to roam around your networked system, where they can steal credit card information from your customers. IT security stakeholders must think about how to overcome the vulnerability of the IP address with something "unspoofable." It’s also no secret that IP change management is an ongoing headache and prone to error.

HIP Technology Offers Compliance and Security
So, how do you increase your network's security to truly safeguard valuable credit card information, personal identifiable information, and other critical data? This where the Host Identity Protocol (HIP) technology, recently ratified by the IETF, comes into play. HIP gives you the ability to supply a trusted cryptographic identity (CryptoID) to every endpoint, which provides unprecedented capabilities in the world of networking. Not only can you make trusted endpoints invisible to the plethora of people with bad intentions, but you can also easily segment an individual device to create a perimeter of one. Centralized orchestration of CyrptoIDs is what makes it all possible and simple.

If you consider that address-defined networking has served as the foundation of communication for numerous decades now, that’s a big achievement. Not many technologies last that long and remain effective. The time has come for HIP-based communications to provide a more secure and compliant solution as we move to a world where connectivity and online commerce have no boundaries.

E-commerce lets us conduct credit card transactions from New Zealand to New England, but freely floating those transactions into cyberspace with recognition of mere compliance — not actual security — is like sending hard cash as a Christmas gift via snail mail. Is it within the compliant boundaries of federal law? Yes. Is it wise or secure to do so? Absolutely not.

HIP-based technology can be implemented across any network — legacy or state-of-the-art — as part of an identity-based solution to provide instant cloaking, local and wide area micro-segmentation, machine authentication and authorization, and end-to-end encryption.

A Cost Comparison
One of the biggest headaches we face regarding PCI compliance is the cost involved. Internal personnel usually need to be dedicated for a period of three to four months to address the requirements. Outside consultants also need to be hired for that timeframe, adding significant costs. Lastly, penetration testing must be performed to ensure total compliance. The cost of such a task for a typical medium-sized company amounts to an average of around $441,000, according to Marcum LLP, an independent public accounting and advisory services firms. By switching to an identity-based solution with HIP-based technology, the average cost of PCI compliance for a medium-sized company is reduced to $337,500, which is a conservative estimate, yet translates to significant cost savings.

Three Reasons to Adopt HIP-based Technology
Compliance, security, and cost-effectiveness are all valid reasons to adopt HIP-based technology going forward as a way to achieve both PCI-compliance andsecurity. Consider the following three advantages:

  1. Easy compliance by the PCI DSS v 3.2 deadline
  2. State-of-the-art security and control across all endpoints of your network
  3. Cost-effectiveness will be achieved in a number of ways:
    • Costly, brand-tarnishing data breaches and successful hacks of your payment card systems will be virtually eliminated.
    • Significant reduction of skilled IT staff required to ensure PCI compliance, as well as maintaining compliance

Yes, you can do something about the bad actors in cyberspace. Compliance and security don't need to be separated. Security-conscious organizations should and can have both.

Related Content:

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Jeff Hussey is president and CEO of Tempered Networks. Hussey, the founder of F5 Networks, is an accomplished entrepreneur with a proven track record in the networking and security markets. He maintains several board positions across a variety of technology, non-profit and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Exploiting Google Cloud Platform With Ease
Dark Reading Staff 8/6/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-07
Temi firmware 20190419.165201 does not properly verify that the source of data or communication is valid, aka an Origin Validation Error.
PUBLISHED: 2020-08-07
A Incorrect Execution-Assigned Permissions vulnerability in the permissions package of SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 15; openSUSE Leap 15.1, openSUSE Tumbleweed sets the permissions for some of the directories of the p...
PUBLISHED: 2020-08-07
A Incorrect Default Permissions vulnerability in the packaging of inn in openSUSE Leap 15.2, openSUSE Tumbleweed, openSUSE Leap 15.1 allows local attackers with control of the new user to escalate their privileges to root. This issue affects: openSUSE Leap 15.2 inn version 2.6.2-lp152.1.26 and prior...
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. An out-of-bounds read may be exploited by processing specially crafted project files. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. A stack-based buffer overflow may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.