alphaspirit - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How will Shellshock affect PCI DSS audits for enterprises?

PCI DSS audits are sure to include a look at Shellshock mitigation. Expert Mike Chapple discusses how organizations can prepare.

With the Shellshock vulnerability gaining attention in recent months, I'm worried it will affect my company's payment systems. Will upcoming PCI DSS audits include a look into Shellshock or require mitigation of the threat? And if so, what can my organization do to prepare for that?

The Shellshock vulnerability provides attackers with a back door into vulnerable Unix and Macintosh systems that allows the execution of arbitrary commands on those systems. This is a very serious vulnerability and system administrators should take immediate action to correct it throughout their enterprise environments. Patches are available for all major Unix operating systems and should be applied immediately.

There is no doubt that PCI DSS auditors will look for the Shellshock vulnerability within your cardholder data environment, and I think it is unlikely that an auditor would issue a passing Report on Compliance to any merchant with unpatched, exposed Shellshock issues.

Fortunately, organizations with solid PCI DSS compliance programs should already have several measures in place that would identify and correct this problem. First, the regular vulnerability scans required by PCI DSS should detect the presence of Shellshock on cardholder systems and provide instructions for remediation. Second, PCI DSS 6.2 requires merchants to apply critical security patches within one month of release. Shellshock patches became available in late September 2014, so those patches are already available. Organizations compliant with PCI DSS 6.2 should already have protections in place that correct the Shellshock vulnerability.

Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Next Steps

Check out how to meet PCI DSS requirement 6.6 and keep down costs

This was last published in March 2015

Dig Deeper on PCI Data Security Standard