Re: VISA / 1ST BANK

["DAIL, ANDY" <ADAIL () sunocoinc com>]

Depending on the industry and depending on the circumstances of the
breach, it could be impossible for the merchant to notify the people
affected.  A lot of retail systems store credit card numbers for
chargeback research, but the name of the card holder is not kept. 

When one of these businesses is breached they know xxxxx number of card
numbers were possibly compromised, but not who the cards belong to
(Magnetic stripe data being an exception).  In that event the company
has no choice but to notify their settlement provider, who will in turn
notify the issuer, who can cross reference card numbers with card
holders.



Andy Dail
Sunoco PCI Project Manager
(918) 586-6160

        -----Original Message-----
        From: dataloss-bounces () attrition org
[mailto:dataloss-bounces () attrition org] On Behalf Of Dennis Opacki
        Sent: Thursday, October 19, 2006 3:43 PM
        To: dataloss () attrition org
        Subject: Re: [Dataloss] VISA / 1ST BANK


        The way I read the notification, it didn't sound like the
processor was affiliated with 1st Bank:
        
        "We would also like to reassure you that the compromise of
information occurred at a merchant card processor's location, not
FirstBank and therefore your account information at FirstBank has not
been obtained by these unauthorized indivuduals(SIC)."
        
        Perhaps they are just notifying customers affected by another
company's gaff? Must be a bad day if they didn't even spell-check the
notification before it went out..
        
        -Dennis
        

________________________________

        From: B.K. DeLong
        Sent: Thu 10/19/2006 1:21 PM
        To: Chris Walsh
        Cc: dataloss () attrition org
        Subject: Re: [Dataloss] VISA / 1ST BANK


        Is it that hard to find out who did the card processing for 1st
Bank?


        On 10/19/06, Chris Walsh <cwalsh () cwalsh org > wrote:

                On Thu, Oct 19, 2006 at 10:41:37AM -0400, B.K. DeLong
wrote:
                > Well, whomever it was will probably get wacked with a
HUGE fine for
                > violating PCI Security standards. I'm guessing it
won't take long to
                > determine who falls under approved card processors for
Visa.
        
        
                They might get fined, but not buy Visa.  Too much butter
on that bread
                to throw it in the bin.
        
                The FTC, OTOH, may do some enforcement:

http://www.emergentchaos.com/archives/2006/06/prediction.html
        
                Visa has been zealously guarding the "privacy" of these
processors since
                at least December of 2005, when the Sam's Club stuff
started to hit the
                fan.  Even Gartner called MC and Visa out on it:

http://www.emergentchaos.com/archives/2005/12/gartner_to_visa.html
        
                Chris
        
        




        --
        B.K. DeLong (K3GRN)
        bkdelong () pobox com
        +1.617.797.8471

        http://www.wkdelong.org/                    Son.
        http://www.ianetsec.com/                    Work.
        http://www.bostonredcross.org/             Volunteer.
        http://www.carolingia.eastkingdom.org/   Service.
        http://bkdelong.livejournal.com/             Play.


        PGP Fingerprint:
        38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

        FOAF:
        http://foaf.brain-stream.org/



This message and any files transmitted with it is intended solely for the designated recipient and may contain 
privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in 
whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and 
delete the original and any attachments.

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 137 million compromised records in 430 incidents over 6 years.