Penetration Testing mailing list archives
Re: reporting a web site breach
From: "Jason Ross" <algorythm () gmail com>
Date: Fri, 17 Oct 2008 01:34:00 -0400
On Thu, Oct 16, 2008 at 7:46 PM, David Glosser <david.glosser () gmail com> wrote:
But beyond the "contact us" page, I didn't see any information on the pcisecuritystandards web site. Aren't they just a standards organization?
Yes. As they define themselves: "PCI SSC is the standards body that maintains the payment card industry standards, including the PCI DSS and PA-DSS." (from the Audit Procedures guide (PDF): http://selfservice.talisma.com/display/2n/kb/article.aspx?aid=5767&var=1) A couple of other relevant quotes from the PCI (found by submitting the question of whom to contact about violations, they display a "before you submit this, are any of these links helpful" list. I'm unsure what the connection between the PCI site and the server/domain these questions are hosted at is, but the PCI site linked to these so I view them as 'official', YMMV. Note to, I've formatted the text. The initial text was all jumbled together making it tough to read. Click the links if you wish to see them in their original horribleness ;-) "What are the consequences to my business if I do not comply with the PCI DSS? The PCI Security Standards Council encourages all businesses that store payment account data to comply with the PCI DSS to help lower their brand and financial risks associated with account payment data compromises. The PCI Security Standards Council does not manage compliance programs and does not impose any consequences for non-compliance. Individual payment brands, however, may have their own compliance initiatives, including financial or operational consequences to certain businesses that are not compliant. " - http://selfservice.talisma.com/display/2n/kb/article.aspx?aid=5319&var=1 "What are the fines and penalties assessed to companies for non-compliance with the PCI DSS? Any fines and/or penalties associated with non-compliance with the PCI DSS and/or confirmed security breaches are defined by each of the payment card brands. For more specific information, please contact the individual payment card brands. For a better understanding of roles and responsibilities, please refer to: American Express - DSOP http://www.americanexpress.com/datasecurity Email: American.Express.Data.Security () aexp com Discover - DISC http://www.discovernetwork.com/resources/data/data_security.html Email: askdatasecurity () discoverfinancial com JCB - TBD http://www.jcb-global.com/english/pci/index.html Email: riskmanagement () jcbati com MasterCard – Site Data Protection (SDP) http://www.mastercard.com/sdp Email: sdp () mastercard com Visa - Account Information Security (AIS) & Cardholder Information Security Program (CISP) Visa AIS - Asia Pacific http://www.visa-asia.com/ap/sea/merchants/riskmgmt/ais.shtml Visa AIS - Canada www.visa.ca/ais Visa AIS - Central Europe, Middle East, & Africa http://www.visacemea.com/ac/ais/data_security.jsp Email: CemeaAIS () visa com Visa AIS - Europe http://www.visaeurope.com/aboutvisa/security/ais Email: datasecuritystandards () visa com Visa AIS - Latin America & Caribbean www.visalatam.com/ais Email: aislac () visa com Visa CISP - United States http://www.visa.com/cisp Email: cisp () visa com. " - http://selfservice.talisma.com/display/2n/kb/article.aspx?aid=5376&var=1 So, in other words, as a few have already stated, contacting the PCI SSC for violations is unlikely to be helpful, and contacting the individual card brand is encouraged. -- Jason
Current thread:
- reporting a web site breach jason_jones98 (Oct 16)
- RE: reporting a web site breach Prodigi Child (Oct 16)
- RE: reporting a web site breach Bob Woods (Oct 16)
- Message not available
- Fwd: reporting a web site breach Geoff Brunkhorst (Oct 16)
- Re: reporting a web site breach Anthony Cicalla (Oct 16)
- Re: reporting a web site breach David Glosser (Oct 16)
- Re: reporting a web site breach Jason Ross (Oct 17)
- Re: reporting a web site breach David Glosser (Oct 17)
- Re: reporting a web site breach Email Cash (Oct 17)
- RE: reporting a web site breach Nick Vaernhoej (Oct 17)
- RE: reporting a web site breach Prodigi Child (Oct 16)
- Re: reporting a web site breach Chris Finley (Oct 20)
- Re: reporting a web site breach Dotzero (Oct 20)
- Re: reporting a web site breach David Glosser (Oct 20)