BreachExchange mailing list archives
Re: OT? PCI Education Steak & Shake
From: "DAIL, ANDY" <ADAIL () sunocoinc com>
Date: Wed, 9 May 2007 10:34:55 -0400
Visa, in their letter announcing the PCI Advisory board formation, determined that all auditors who perform on-site audits must be a QSA. http://usa.visa.com/merchants/risk_management/cisp_assessors.html. The authorization for internal auditors to perform the task was under the old CISP program (pre-PCI 1.0). The assertion may still hold true, but if a Level 1 does a self-assessment and then suffers a breach, Visa would likely invalidate their audit and fine them heavily. Of course, almost no company accepts only Visa, and not MasterCard, so it's probably moot. -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of Clint P. Garrison MBA, CISSP, QSA Sent: Tuesday, May 08, 2007 3:43 PM To: Kehoe, Matt Cc: Data Loss Incidents Subject: Re: [Dataloss] OT? PCI Education Steak & Shake Actually that is not correct... Visa and AmEx allows Level 1 merchants' internal auditors perform the PCI assessment, but a company officer has to sign off on it. Mastercards' Level 1 merchants have to have a QSA perform the assessment. If you are referring to the quarterly (external) scans, you would be correct. They have to be done by an ASV. Clint P. Garrison On 5/8/07, Kehoe, Matt <Matt.Kehoe () sephora com> wrote:
Having just gone through this, the biggest gotcha is that tier 1 retailers need a "3rd party assessment" which means you cant just execute compliance from within.... PCI standards still leave much to be desired, but it's a good step forward for retailing in general... -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of Al Mac Sent: Tuesday, May 08, 2007 8:48 AM To: Data Loss Incidents Subject: [Dataloss] OT? PCI Education Steak & Shake OT because we have no info on any cyber security incident, but of interest what is considered to be state-of-art when it comes to preventing certain kinds of incidents. Steak & Shake restaurant chain has had to beef up its computer security because a rapid increase in their credit card transaction volume has taken them to more stingent tiers of PCI standards. The article shows us what hoops the chain had to jump through to meet the standards. What we do not see here is a perspective on security rules enforcement
to avoid more incidents like TJX. There are also some statements in the article that I would take issue with. They imply stronger security than my understanding of reality. http://www.computerworld.com/action/article.do?command=viewArticleBasi c& articleId=291415&source=rss_topic17 _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 207 million compromised records in 649 incidents over 7 years. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 207 million compromised records in 649 incidents over 7 years.
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 207 million compromised records in 649 incidents over 7 years. This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 207 million compromised records in 649 incidents over 7 years.
Current thread:
- OT? PCI Education Steak & Shake Al Mac (May 08)
- Re: OT? PCI Education Steak & Shake Kehoe, Matt (May 08)
- Re: OT? PCI Education Steak & Shake blitz (May 08)
- Re: OT? PCI Education Steak & Shake Clint P. Garrison MBA, CISSP, QSA (May 08)
- Re: OT? PCI Education Steak & Shake DAIL, ANDY (May 09)
- Re: OT? PCI Education Steak & Shake Kehoe, Matt (May 08)