Forwarded from: security curmudgeon <jericho (at) attrition.org> : http://www.infoworld.com/article/08/04/10/Acceptance-growing-for-PCI-security-standard_1.html : : By Matt Hines : InfoWorld.com : April 10, 2008 : : The leading man for the payment card industry's data security standard : claims that most companies affected by the mandate have begun to : embrace the regulation, rather than debate or deny its merits. Odd, based on my day job and a variety of communication with colleagues, it has been getting steadily worse the last few years. I can't think of one person who has 'begun to embrace the regulation'. : "You'll always have people who resist when they are told that they : have to do something, but most seem to agree that there is nothing : alien in the three standards that we've issued thus far," Russo said. : "I think that's because we've been able to establish that PCI is a : strong security standard and this is work that people need to do : anyways. Most of the remaining discord is related to the fact that : people don't want to rip out and replace legacy systems." Interesting that this article comes shortly after the Hannaford breach, in which the most recent articles suggest that the company was PCI compliant despite having over 300 machines compromised and millions of customer's credit information taken. Of course, this is not the first breach of a PCI certified company, looking back to CardSystemsSolutions [1] we see that they too lost millions of records despite the seal of approval. It's hard to consider PCI DSS as "working" when we read about these events. More worrisome that more companies were likely PCI certified after breaches [2], but just didn't admit to it. : Russo said it's still unclear to what extent Hannaford was actually : certified, or attentive in maintaining its compliance with the : mandate. It also illustrates to other businesses that they will need : to remain focused on related data security issues at all times, not : merely when they know that they are being audited. Why is it still unclear to what extent they were certified? What kind of administration nightmare does PCI carry that it takes a month to figure out "we're still not sure"? If the PCI council can't go to the ASV and other relevant vendors to ask, then it suggests the standard is clouded by improper administration and a weak definition of what is 'certificed'. Unless they are making it fuzzy to provide spin control on this incident as it would damage the PCI certification reputation. : "The truth is that achieving compliance is a moment in time, it's a : snapshot, and you need to be vigilant and live with these issues on a : daily basis; you can't get your compliance certificate and put it in a : drawer and feel satisfied," Russo said. Thanks Russo, for confirming that being PCI compliant has absolutely no meaning or merit. If you are PCI compliant one day, and can be non-compliant the next, and there is no way to determine when a company was or was not.. remind me what the benefit of this certification is? - security curmudgeon [1] http://www.wired.com/science/discoveries/news/2005/06/67980 [2] http://attrition.org/dataloss -==- Let identityLoveSock take your personal information into their wanting hands. http://www.identity-love-sock.com/ Because victims have money too.
This archive was generated by hypermail 2.1.3 : Tue Apr 15 2008 - 23:37:29 PDT