Re: [ISN] Acceptance growing for PCI security standard

From: InfoSec News (alerts@private)
Date: Tue Apr 15 2008 - 23:28:42 PDT


Forwarded from: security curmudgeon <jericho (at) attrition.org>

: http://www.infoworld.com/article/08/04/10/Acceptance-growing-for-PCI-security-standard_1.html
: 
: By Matt Hines
: InfoWorld.com
: April 10, 2008
: 
: The leading man for the payment card industry's data security standard 
: claims that most companies affected by the mandate have begun to 
: embrace the regulation, rather than debate or deny its merits.

Odd, based on my day job and a variety of communication with colleagues, 
it has been getting steadily worse the last few years. I can't think of 
one person who has 'begun to embrace the regulation'.

: "You'll always have people who resist when they are told that they 
: have to do something, but most seem to agree that there is nothing 
: alien in the three standards that we've issued thus far," Russo said. 
: "I think that's because we've been able to establish that PCI is a 
: strong security standard and this is work that people need to do 
: anyways. Most of the remaining discord is related to the fact that 
: people don't want to rip out and replace legacy systems."

Interesting that this article comes shortly after the Hannaford breach, 
in which the most recent articles suggest that the company was PCI 
compliant despite having over 300 machines compromised and millions of 
customer's credit information taken.

Of course, this is not the first breach of a PCI certified company, 
looking back to CardSystemsSolutions [1] we see that they too lost 
millions of records despite the seal of approval. It's hard to consider 
PCI DSS as "working" when we read about these events. More worrisome 
that more companies were likely PCI certified after breaches [2], but 
just didn't admit to it.

: Russo said it's still unclear to what extent Hannaford was actually 
: certified, or attentive in maintaining its compliance with the 
: mandate. It also illustrates to other businesses that they will need 
: to remain focused on related data security issues at all times, not 
: merely when they know that they are being audited.

Why is it still unclear to what extent they were certified? What kind of 
administration nightmare does PCI carry that it takes a month to figure 
out "we're still not sure"? If the PCI council can't go to the ASV and 
other relevant vendors to ask, then it suggests the standard is clouded 
by improper administration and a weak definition of what is 
'certificed'. Unless they are making it fuzzy to provide spin control on 
this incident as it would damage the PCI certification reputation.

: "The truth is that achieving compliance is a moment in time, it's a 
: snapshot, and you need to be vigilant and live with these issues on a 
: daily basis; you can't get your compliance certificate and put it in a 
: drawer and feel satisfied," Russo said.

Thanks Russo, for confirming that being PCI compliant has absolutely no 
meaning or merit. If you are PCI compliant one day, and can be 
non-compliant the next, and there is no way to determine when a company 
was or was not.. remind me what the benefit of this certification is?

- security curmudgeon

[1] http://www.wired.com/science/discoveries/news/2005/06/67980
[2] http://attrition.org/dataloss


-==-
Let identityLoveSock take your personal information into 
their wanting hands. http://www.identity-love-sock.com/ 
Because victims have money too. 



This archive was generated by hypermail 2.1.3 : Tue Apr 15 2008 - 23:37:29 PDT