BreachExchange mailing list archives
CC companies not disclosing actions against PCI DSS violators
From: "B.K. DeLong" <bkdelong () pobox com>
Date: Thu, 29 Mar 2007 10:48:38 -0400
A bit of a rant follows.... I don't know about anyone else on this list but I've been talking to many, many organizations who don't see the risk of non-compliance with PCI due to action being taken. Except action is being taken - large fines are being levied and, in some cases, companies ARE losing processing privileges. The problem is that because the relationship between the credit card companies, processors and merchants are private contracts....there is no reason for the companies to disclose actions taken and obviously there are no laws stating disclosure of action being disclosed. I'm wondering if any of the state data breach reporting laws have tried or do require mention as to whether a credit card company took action when credit card information was lost in a breach. Come to think of it, does the information protected under PCI DSS and Data breach laws overlap? Vendors - you want people to take PCI more seriously? Push for even a generic disclosure - "there have been 200 fines in the past two years"; "20 companies have been fined this quarter totaling $20M in fines"; 15 companies lost processing privileges for 30 days to 6 mo with 5 of them being Fortune 500" etc (or whatever) Reporters - while covering all these data breaches, press the companies where CC info was involved in the breach as to whether action was taken by their credit card company as required by the PCI DSS. Everyone else - has anyone seen data about a breach involving credit cards where the price of goods may have gone up to cover an undisclosed fine? Or where the company had a "glitch" in processing a credit card for a period of time. What about states without breach disclosure laws? From an information security perspective, my senior management isn't going to deign complying with PCI DSS if all they have to do is pay a fine or deal with a short processing restriction period (which can be explained as technical difficulties), if there's no chance of the bigger, more detrimental effect of public shame and loss of reputation. -- B.K. DeLong (K3GRN) bkdelong () pobox com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years.
Current thread:
- CC companies not disclosing actions against PCI DSS violators B.K. DeLong (Mar 29)