Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Jeff Hussey
Jeff Hussey
Connect Directly
E-Mail vvv

Is Your Organization Merely PCI-Compliant or Is It Actually Secure?

The Host Identity Protocol might be the answer to inadequate check-the-box security standards.

Can you hear the clock ticking? It's the countdown to June 30, 2018, the deadline for all merchants to migrate their payment card-related operations to comply with version 3.2 of the Payment Card Industry Data Security Standard (PCI DSS v 3.2). But what does that really mean?

Does it mean consumers will be able to hand out their credit cards to every food truck, t-shirt vendor, and street musician across the world and expect complete security?

Does it mean that hackers, bad actors, and all other cybercriminals will be rendered useless and forced to change from a life of cybercrime into a new life of altruistic intent?

Does it mean that the news broadcasts won't be inundated with stories of massive data breaches from retailers and government organizations?

The answer to all those questions is no, not really … actually, not at all. The most recent data security standard for credit card payment systems merely ensures compliance but not necessarily security. In fact, industry compliance and actual security are very different things. This isn't acceptable — the world must strive for compliance and security.

Compliant but Still Vulnerable
Although ensuring that all payment card systems are up to standard is a step in the right direction, it's not foolproof. Consider these recent incidents of PCI-compliant entities that were still breached:


Year of Attack

Method of Attack












XSS cookies stealing and hijacking






Broken encryption

As you can see, attacks are still effective at striking PCI-compliant entities. Better security is still needed to prevent intrusions into your organization's credit card information. Compliance standards usually mean just checking off the right boxes on a self-assessment checklist and periodically sending in screenshots of random encrypted values to "validate" those responses.

If only security were that easy. People with malicious intent want to expose any loophole within your system, regardless of PCI compliance. Realistically, compliance means only that your systems are updated to a level deemed as acceptable by the given standard. But cybercriminals are operating far past the level of acceptable or standard. They only have to find one weak link in a chain of otherwise acceptable practices. Your payment card systems may look good to the "standard" observer, but the advanced hacker may see numerous opportunities for access, and it takes only one.

The Problem with Address-Defined Networking
The problem stems from the way we've been networking our devices ever since the 1970s. Unfortunately, traditional, address-defined networking can achieve total compliance while continuing to be irresponsibly susceptible to many critical security issues. The weak link lies within its architecture, where an IP address serves as both a machine's location and its identity.

IP addresses are vulnerable to attack because they are "spoofable." That is, a hacker can gain access to your PCI systems by pretending to come from a valid IP address. It's akin to the virtual version of identity theft. Once they gain this unauthorized access, they're free to roam around your networked system, where they can steal credit card information from your customers. IT security stakeholders must think about how to overcome the vulnerability of the IP address with something "unspoofable." It’s also no secret that IP change management is an ongoing headache and prone to error.

HIP Technology Offers Compliance and Security
So, how do you increase your network's security to truly safeguard valuable credit card information, personal identifiable information, and other critical data? This where the Host Identity Protocol (HIP) technology, recently ratified by the IETF, comes into play. HIP gives you the ability to supply a trusted cryptographic identity (CryptoID) to every endpoint, which provides unprecedented capabilities in the world of networking. Not only can you make trusted endpoints invisible to the plethora of people with bad intentions, but you can also easily segment an individual device to create a perimeter of one. Centralized orchestration of CyrptoIDs is what makes it all possible and simple.

If you consider that address-defined networking has served as the foundation of communication for numerous decades now, that’s a big achievement. Not many technologies last that long and remain effective. The time has come for HIP-based communications to provide a more secure and compliant solution as we move to a world where connectivity and online commerce have no boundaries.

E-commerce lets us conduct credit card transactions from New Zealand to New England, but freely floating those transactions into cyberspace with recognition of mere compliance — not actual security — is like sending hard cash as a Christmas gift via snail mail. Is it within the compliant boundaries of federal law? Yes. Is it wise or secure to do so? Absolutely not.

HIP-based technology can be implemented across any network — legacy or state-of-the-art — as part of an identity-based solution to provide instant cloaking, local and wide area micro-segmentation, machine authentication and authorization, and end-to-end encryption.

A Cost Comparison
One of the biggest headaches we face regarding PCI compliance is the cost involved. Internal personnel usually need to be dedicated for a period of three to four months to address the requirements. Outside consultants also need to be hired for that timeframe, adding significant costs. Lastly, penetration testing must be performed to ensure total compliance. The cost of such a task for a typical medium-sized company amounts to an average of around $441,000, according to Marcum LLP, an independent public accounting and advisory services firms. By switching to an identity-based solution with HIP-based technology, the average cost of PCI compliance for a medium-sized company is reduced to $337,500, which is a conservative estimate, yet translates to significant cost savings.

Three Reasons to Adopt HIP-based Technology
Compliance, security, and cost-effectiveness are all valid reasons to adopt HIP-based technology going forward as a way to achieve both PCI-compliance andsecurity. Consider the following three advantages:

  1. Easy compliance by the PCI DSS v 3.2 deadline
  2. State-of-the-art security and control across all endpoints of your network
  3. Cost-effectiveness will be achieved in a number of ways:
    • Costly, brand-tarnishing data breaches and successful hacks of your payment card systems will be virtually eliminated.
    • Significant reduction of skilled IT staff required to ensure PCI compliance, as well as maintaining compliance

Yes, you can do something about the bad actors in cyberspace. Compliance and security don't need to be separated. Security-conscious organizations should and can have both.

Related Content:

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Jeff Hussey is president and CEO of Tempered Networks. Hussey, the founder of F5 Networks, is an accomplished entrepreneur with a proven track record in the networking and security markets. He maintains several board positions across a variety of technology, non-profit and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)
PUBLISHED: 2021-05-11
A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to ...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero in sRGBTransformImage() in the MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker processed by an application using ImageMagick. The highest threat from t...