BreachExchange mailing list archives
Re: Feds seek to nab credit card thieves in La., Miss.
From: "Jon Turner" <jjturner () gmail com>
Date: Tue, 19 Aug 2008 08:42:50 +0100
2008/8/19 Paul Ferguson <fergdawg () netzero net>:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- macwheel99 () wowway com wrote:A company can buy some computer system and not install, or manage, itproperly. I am more interested in whether they had any PCI audits or other security audits, and what if anything the audits had to say about their state of security preparedness.Here's what went wrong at TJX Max (click on preview to see document filed by5/3 bank auditor AFTER the mess.) http://www.box.net/shared/ieae3qfqj9This is quite an eye-opener ... they had perfectly good computer systems,but at some level of company leadership, there was no conception of their security responsibilities, what it meant to be PCI compliant.It was my understanding that (according to Evan Schuman at StorefrontBacktalk): "...Visa knew of the extensive security problems at TJX but decided to give the retailer permission to remain non-compliant through Dec. 31, 2008, according to documents filed in federal court Thursday." http://storefrontbacktalk.com/story/110907visaletter - - ferg
Most companies are still burying their head in the sand regarding PCI, a large number are doing so knowingly, a significant number have no clue. If its going to cost the X million to become compliant and there is only a risk of a fine then why should they care? At the moment its mainly just a risk of a fine if they lose data, as soon as the word risk is mentioned to management, then the "It will never happen to us" complex kicks in and all chance of funding goes out the window (mainly because now everyone thinks they know about security, AV + firewall = secure to most non specialist). Security is a just cost of doing business, it doesn't add sales or company value, so every one attempts to minimize it. Only when the payment vendors take away their right to process cards will they start to take notice. From Visa point of view you can see why they would approve the exemption though, either they approve it and are able to fine them if they loose the data ($'s to Visa) and also get 2% on most transactions through the store ($'s to Visa) and the payment processor/vendor is liable for loses not Visa or they don't t approve it and remove the right to process Visa cards ($ to Mastercard + Amex). At the moment, it still the security security teams in most organisations (if they have one) pushing PCI and they don't have a very loud voice, where as marketing and finance do. oh, sorry about the first post being a rant.... _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- Feds seek to nab credit card thieves in La., Miss. lyger (Aug 18)
- Re: Feds seek to nab credit card thieves in La., Miss. TS Glassey (Aug 18)
- Re: Feds seek to nab credit card thieves in La., Miss. macwheel99 (Aug 18)
- Re: Feds seek to nab credit card thieves in La., Miss. Arshad Noor (Aug 18)
- Re: Feds seek to nab credit card thieves in La., Miss. George Toft (Aug 20)
- Re: Feds seek to nab credit card thieves in La., Miss. macwheel99 (Aug 18)
- Re: Feds seek to nab credit card thieves in La., Miss. TS Glassey (Aug 18)
- <Possible follow-ups>
- Re: Feds seek to nab credit card thieves in La., Miss. Paul Ferguson (Aug 18)
- Re: Feds seek to nab credit card thieves in La., Miss. Jon Turner (Aug 19)