Re: reporting a web site breach

["Jason Ross" <algorythm () gmail com>]

On Thu, Oct 16, 2008 at 7:46 PM, David Glosser <david.glosser () gmail com> wrote:
> But beyond the "contact us" page, I didn't see any information on the
> pcisecuritystandards web site.
> Aren't they just a standards organization?

Yes. As they define themselves:

"PCI SSC is the standards body that maintains the payment card
industry standards, including the PCI DSS and PA-DSS."
   (from the Audit Procedures guide (PDF):
http://selfservice.talisma.com/display/2n/kb/article.aspx?aid=5767&var=1)

A couple of other relevant quotes from the PCI (found by submitting
the question of whom to contact about violations, they display a
"before you submit this, are any of these links helpful" list. I'm
unsure what the connection between the PCI site and the server/domain
these questions are hosted at is, but the PCI site linked to these so
I view them as 'official', YMMV. Note to, I've formatted the text. The
initial text was all jumbled together making it tough to read. Click
the links if you wish to see them in their original horribleness ;-)

"What are the consequences to my business if I do not comply with the PCI DSS?

The PCI Security Standards Council encourages all businesses that
store payment account data to comply with the PCI DSS to help lower
their brand and financial risks associated with account payment data
compromises. The PCI Security Standards Council does not manage
compliance programs and does not impose any consequences for
non-compliance.

Individual payment brands, however, may have their own compliance
initiatives, including financial or operational consequences to
certain businesses that are not compliant. "
   - http://selfservice.talisma.com/display/2n/kb/article.aspx?aid=5319&var=1


"What are the fines and penalties assessed to companies for
non-compliance with the PCI DSS?
Any fines and/or penalties associated with non-compliance with the PCI
DSS and/or confirmed security breaches are defined by each of the
payment card brands.

For more specific information, please contact the individual payment
card brands.
For a better understanding of roles and responsibilities, please refer to:

American Express - DSOP http://www.americanexpress.com/datasecurity
Email: American.Express.Data.Security () aexp com
Discover - DISC
http://www.discovernetwork.com/resources/data/data_security.html
Email: askdatasecurity () discoverfinancial com
JCB - TBD http://www.jcb-global.com/english/pci/index.html Email:
riskmanagement () jcbati com
MasterCard – Site Data Protection (SDP) http://www.mastercard.com/sdp
Email: sdp () mastercard com
Visa - Account Information Security (AIS) & Cardholder Information
Security Program (CISP)
Visa AIS - Asia Pacific
http://www.visa-asia.com/ap/sea/merchants/riskmgmt/ais.shtml
Visa AIS - Canada www.visa.ca/ais
Visa AIS - Central Europe, Middle East, & Africa
http://www.visacemea.com/ac/ais/data_security.jsp Email:
CemeaAIS () visa com
Visa AIS - Europe http://www.visaeurope.com/aboutvisa/security/ais
Email: datasecuritystandards () visa com
Visa AIS - Latin America & Caribbean www.visalatam.com/ais Email:
aislac () visa com
Visa CISP - United States http://www.visa.com/cisp Email: cisp () visa com. "
   - http://selfservice.talisma.com/display/2n/kb/article.aspx?aid=5376&var=1


So, in other words, as a few have already stated, contacting the PCI
SSC for violations is unlikely to be helpful, and contacting the
individual card brand is encouraged.

--
Jason