Re: OT? PCI Education Steak & Shake

["DAIL, ANDY" <ADAIL () sunocoinc com>]

Visa, in their letter announcing the PCI Advisory board formation,
determined that all auditors who perform on-site audits must be a QSA.
http://usa.visa.com/merchants/risk_management/cisp_assessors.html. 

The authorization for internal auditors to perform the task was under
the old CISP program (pre-PCI 1.0).  The assertion may still hold true,
but if a Level 1 does a self-assessment and then suffers a breach, Visa
would likely invalidate their audit and fine them heavily.

Of course, almost no company accepts only Visa, and not MasterCard, so
it's probably moot.




-----Original Message-----
From: dataloss-bounces () attrition org
[mailto:dataloss-bounces () attrition org] On Behalf Of Clint P. Garrison
MBA, CISSP, QSA
Sent: Tuesday, May 08, 2007 3:43 PM
To: Kehoe, Matt
Cc: Data Loss Incidents
Subject: Re: [Dataloss] OT? PCI Education Steak & Shake


Actually that is not correct...

Visa and AmEx allows Level 1 merchants' internal auditors perform the
PCI assessment, but a company officer has to sign off on it.
Mastercards' Level 1 merchants have to have a QSA perform the
assessment.

If you are referring to the quarterly (external) scans, you would be
correct. They have to be done by an ASV.

Clint P. Garrison

On 5/8/07, Kehoe, Matt <Matt.Kehoe () sephora com> wrote:
> Having just gone through this, the biggest gotcha is that tier 1
> retailers need a "3rd party assessment" which means you cant just
> execute compliance from within....
>
> PCI standards still leave much to be desired, but it's a good step
> forward for retailing in general...
>
> -----Original Message-----
> From: dataloss-bounces () attrition org
> [mailto:dataloss-bounces () attrition org] On Behalf Of Al Mac
> Sent: Tuesday, May 08, 2007 8:48 AM
> To: Data Loss Incidents
> Subject: [Dataloss] OT? PCI Education Steak & Shake
>
> OT because we have no info on any cyber security incident, but of
> interest what is considered to be state-of-art when it comes to
> preventing certain kinds of incidents.
>
> Steak & Shake restaurant chain has had to beef up its computer
> security because a rapid increase in their credit card transaction
> volume has taken them to more stingent tiers of PCI standards.  The
> article shows us what hoops the chain had to jump through to meet the
> standards.
>
> What we do not see here is a perspective on security rules enforcement

> to avoid more incidents like TJX.  There are also some statements in
> the article that I would take issue with.  They imply stronger
> security than my understanding of reality.
>
> http://www.computerworld.com/action/article.do?command=viewArticleBasi
> c&
> articleId=291415&source=rss_topic17
>
>
> _______________________________________________
> Dataloss Mailing List (dataloss () attrition org)
> http://attrition.org/dataloss Tracking more than 207 million
> compromised records in 649 incidents over 7 years.
> _______________________________________________
> Dataloss Mailing List (dataloss () attrition org)
> http://attrition.org/dataloss Tracking more than 207 million
> compromised records in 649 incidents over 7 years.
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss Tracking more than 207 million compromised
records in 649 incidents over 7 years.

This message and any files transmitted with it is intended solely for the designated recipient and may contain 
privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in 
whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and 
delete the original and any attachments.
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 207 million compromised records in 649 incidents over 7 years.