Re: Visa Puts Heartland on Probation Over Breach

[Susan Orr Consulting <susan () susanorrconsulting com>]

I may be mistaken since I am not a PCI certified auditor, but seems to  
me the problem isn't with the PCI DSS.  Granted the problem may be  
with those doing the audits/reviews, but we also know there isn't a  
silver bullet when it comes to security.  Having said this, I admit I  
haven't had time to look into how the breach happened and it may well  
be that the controls in place were not satisfactory.  I just hate to  
see us blast the DSS when it may be a result of who is doing the  
reviewing.  But then again none of us are perfect.  I also question  
the heavy reliance on SAS 70 audits.  So many feel that if an org has  
had a SAS 70 Type II then everything is hunky-dory.  I personally am  
not a huge proponent of them.  I think there are other "security" and  
"control" audit opts out there that aren't used or haven't been widely  
accepted yet (SysTrust and Agreed Upon Procedures  
(sharedassessments.org).  When there is a breach at a core processor  
like DI or FundsXpress, we don't see this type of discussion and I  
personally am not sure of the difference!

But then most of you probably have more experience than I, so feel  
free to totally disregard my thoughts.




On Mar 13, 2009, at 8:17 AM, Jamie C. Pole wrote:

> Oh wow!  That's going to make a HUGE difference!
>
> Let's not forget that they WERE PCI "compliant" when they got
> breached.  How is hiring another clueless QSA going to change the
> basic facts here?
>
> The whole PCI "standard" is a joke.  The PCI Standards Body needs to
> go the way of the dodo, and the whole QSA concept needs to be
> eliminated.  The only way there will ever be any reasonable level of
> assurance that credit card transactions are safe is for a body made up
> of COMPETENT security professionals to come together to define
> meaningful controls that will actually make a difference.  And the
> whole "pay to play" QSA game needs to be replaced with a process
> whereby COMPETENT security professionals are able to demonstrate
> proficiency by actions, NOT by virtue of the fact that their
> application fee check cleared.
>
> Actually, I wonder if they take credit cards for the QSA fees?  :-^
> Maybe the QSA criteria should be "show us that you have breached a
> payment processor, and we'll let you test other payment
> processors..."  If that happened, the list of approved QSA providers
> would be VERY small - and I'd bet that VERY few, if any of the people
> on the current list would be on the new list.
>
> This same thing is going to keep occurring over and over and over
> until the PCI program itself is overhauled.  With the current
> "controls" in the PCI DSS, I'm not sure how any of these people sleep
> at night.  Especially when you consider that the QSA providers seem to
> all be relying on automated scanning tools when they do their
> assessments.  Two words come to mind - unlimited liability.
>
> I love the part about "more stringent conditions"...  What?  They have
> to run Nessus or Qualys ONCE a month instead of quarterly?  That's
> definitely going to make a difference!  Twice nothing is still
> nothing.  I suck at math, but even I can work that one out.  (By the
> way, no offense meant to Nessus - it's a great product that I use
> myself - I just don't believe in basing C&A decisions on automated
> tools.)
>
> Gotta love this world we live in - the PCI people have mortgaged the
> future of their industry in order to sell QSA "subscriptions"...
>
> Jamie
>
>
>
> On Mar 13, 2009, at 8:38 AM, lyger wrote:
>
> > (courtesy Anthony M. Freed)
> >
> > http://information-security-resources.com/2009/03/13/visa-puts-heartland-on-probation-over-breach/
> >
> > *Removal from Visa~Rs List of Compliant Service Providers - Visa has
> > removed Heartland from its online list of Payment Card Industry Data
> > Security Standard (PCI DSS) compliant service providers. HPS has
> > advised,
> > however, that it is aggressively working on remediation and re-
> > validation
> > of its systems to comply with PCI DSS standards. The company will be
> > relisted once it revalidates its PCI DSS compliance using a Qualified
> > Security Assessor and meets other related compliance conditions.*
> >
> > *System Participation - HPS is now in a probationary period, during
> > which
> > it is subject to a number of risk conditions including more stringent
> > security assessments, monitoring and reporting. Subject to these
> > conditions, Heartland will continue to serve as a processor in the
> > Visa
> > system.*
> >
> > [...]
> > _______________________________________________
> > Dataloss Mailing List (dataloss () datalossdb org)
> >
> > CREDANT Technologies, a leader in data security, offers advanced
> > data encryption solutions.
> > Protect sensitive data on desktops, laptops, smartphones and USB
> > sticks transparently
> > across your enterprise to ensure regulatory compliance.
> > http://www.credant.com/stopdataloss
>
> _______________________________________________
> Dataloss Mailing List (dataloss () datalossdb org)
>
> CREDANT Technologies, a leader in data security, offers advanced  
> data encryption solutions.
> Protect sensitive data on desktops, laptops, smartphones and USB  
> sticks transparently
> across your enterprise to ensure regulatory compliance.
> http://www.credant.com/stopdataloss

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

CREDANT Technologies, a leader in data security, offers advanced data encryption solutions.
Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently 
across your enterprise to ensure regulatory compliance.
http://www.credant.com/stopdataloss