Forwarded from: security curmudgeon <jericho (at) attrition.org>
: http://www.infoworld.com/article/08/04/10/Acceptance-growing-for-PCI-security-standard_1.html
:
: By Matt Hines
: InfoWorld.com
: April 10, 2008
:
: The leading man for the payment card industry's data security standard
: claims that most companies affected by the mandate have begun to
: embrace the regulation, rather than debate or deny its merits.
Odd, based on my day job and a variety of communication with colleagues,
it has been getting steadily worse the last few years. I can't think of
one person who has 'begun to embrace the regulation'.
: "You'll always have people who resist when they are told that they
: have to do something, but most seem to agree that there is nothing
: alien in the three standards that we've issued thus far," Russo said.
: "I think that's because we've been able to establish that PCI is a
: strong security standard and this is work that people need to do
: anyways. Most of the remaining discord is related to the fact that
: people don't want to rip out and replace legacy systems."
Interesting that this article comes shortly after the Hannaford breach,
in which the most recent articles suggest that the company was PCI
compliant despite having over 300 machines compromised and millions of
customer's credit information taken.
Of course, this is not the first breach of a PCI certified company,
looking back to CardSystemsSolutions [1] we see that they too lost
millions of records despite the seal of approval. It's hard to consider
PCI DSS as "working" when we read about these events. More worrisome
that more companies were likely PCI certified after breaches [2], but
just didn't admit to it.
: Russo said it's still unclear to what extent Hannaford was actually
: certified, or attentive in maintaining its compliance with the
: mandate. It also illustrates to other businesses that they will need
: to remain focused on related data security issues at all times, not
: merely when they know that they are being audited.
Why is it still unclear to what extent they were certified? What kind of
administration nightmare does PCI carry that it takes a month to figure
out "we're still not sure"? If the PCI council can't go to the ASV and
other relevant vendors to ask, then it suggests the standard is clouded
by improper administration and a weak definition of what is
'certificed'. Unless they are making it fuzzy to provide spin control on
this incident as it would damage the PCI certification reputation.
: "The truth is that achieving compliance is a moment in time, it's a
: snapshot, and you need to be vigilant and live with these issues on a
: daily basis; you can't get your compliance certificate and put it in a
: drawer and feel satisfied," Russo said.
Thanks Russo, for confirming that being PCI compliant has absolutely no
meaning or merit. If you are PCI compliant one day, and can be
non-compliant the next, and there is no way to determine when a company
was or was not.. remind me what the benefit of this certification is?
- security curmudgeon
[1] http://www.wired.com/science/discoveries/news/2005/06/67980
[2] http://attrition.org/dataloss
-==-
Let identityLoveSock take your personal information into
their wanting hands. http://www.identity-love-sock.com/
Because victims have money too.
Comments