PCI-DSS woefully inadequate when it comes to in-memory payment card data requirement!
What is common between how Target, Home Depot, Neiman Marcus, Michael's, TJ Maxx, Albertsons, SuperValu, Heartland Payment Systems and Viator got hacked? That is, other than the huge financial loss they all incurred? One thing - they all lost their payment card data by way of memory scraping attack irrespective of how the attacker might have initially gained access to their IT infrastructure.
Memory scraping attack has been quite prevalent in the past several years especially in the payment industry. PCI-DSS is the organization that sets the standard for how payment card data must be handled. While it is rather specific in several different aspects and enforces specific requirements as to how payment card data must be stored on disk and handled while in-transit, requirements for handling the same data while in-memory is at best vague and woefully inadequate. Perhaps, proactively enforcing a specific set of requirements for in-memory payment card data as well would help prevent payment card related memory scraping attacks in future. With that in mind, we submitted a RFE to PCI-DSS requesting that they enforce specific requirements as to how in-memory payment card data is handled.
For access to the RFE we submitted, please email info_at_kryptoguard_dot_com.
Founder of KryptoGuard™ technology initiative, product and services.