BreachExchange mailing list archives
Re: Visa Puts Heartland on Probation Over Breach
From: A K <platsakos () gmail com>
Date: Fri, 13 Mar 2009 20:17:01 +0200
The problem is that PCI-DSS is a manifestation of "having controls just to please the auditors". Yes, it is a step in the right direction but when security dissolves into boxes to tick and automated tools (i.e. you can be PCI-compliant even if you are "ownable" by chaining a couple of vulnerabilities that by themselves do not break compliance), then things are sure to go downhill. Jamie C. Pole wrote:
Just a quick clarification... I was not trying to say that ALL QSA provides were incompetent. However, I do feel obligated to say that the overwhelming majority of the ones I have worked with have displayed a level of competence and technical acumen that was far below the level at which I would consider hiring someone for an entry level position in my firm. My problem with the QSA program is very simple - I believe that it's a pay-to-play scheme. If I was a construction contractor, and I was asked to pay a fee to be able to bid on city or state construction contracts, that would be considered an act of corruption. The official would get in trouble for asking for the fee, and I would get in trouble for paying the "bribe". I believe that a certain governor was just removed from office for playing this kind of game. By making the QSA process a pay-to-play scheme, the PCI people have ensured that the QSA population will not be representative of the population of security professionals as a whole. Put another way, wouldn't any CISSP that paid the QSA fee be in violation of the ISC2 Code of Ethics? If a pay-to-play scheme is criminal-enough to get a governor impeached and removed from office, how is it not criminal enough to violate the Code of Ethics? Let's be perfectly clear - the QSA program is not some kind of vendor partner program where you pay to get priority access to support or resources. A QSA is paying for the ability to enter into a captive market. Technical acumen or experience does not matter - all that matters is whether or not the check clears. I wonder if they publish statistics on the percentage of QSA applicants that are turned down? Just something to think about... Obviously, this is not the entire problem with PCI, but it is definitely a significant part of it. Any process will only be as good as the people that administer it. Jamie On Mar 13, 2009, at 8:38 AM, lyger wrote:(courtesy Anthony M. Freed) http://information-security-resources.com/2009/03/13/visa-puts-heartland-on-probation-over-breach/ *Removal from Visa~Rs List of Compliant Service Providers - Visa has removed Heartland from its online list of Payment Card Industry Data Security Standard (PCI DSS) compliant service providers. HPS has advised, however, that it is aggressively working on remediation and re- validation of its systems to comply with PCI DSS standards. The company will be relisted once it revalidates its PCI DSS compliance using a Qualified Security Assessor and meets other related compliance conditions.* *System Participation - HPS is now in a probationary period, during which it is subject to a number of risk conditions including more stringent security assessments, monitoring and reporting. Subject to these conditions, Heartland will continue to serve as a processor in the Visa system.* [...] _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) CREDANT Technologies, a leader in data security, offers advanced data encryption solutions. Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently across your enterprise to ensure regulatory compliance. http://www.credant.com/stopdataloss_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) CREDANT Technologies, a leader in data security, offers advanced data encryption solutions. Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently across your enterprise to ensure regulatory compliance. http://www.credant.com/stopdataloss
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) CREDANT Technologies, a leader in data security, offers advanced data encryption solutions. Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently across your enterprise to ensure regulatory compliance. http://www.credant.com/stopdataloss
Current thread:
- Visa Puts Heartland on Probation Over Breach lyger (Mar 13)
- Re: Visa Puts Heartland on Probation Over Breach Jamie C. Pole (Mar 13)
- Re: Visa Puts Heartland on Probation Over Breach DAIL, WILLARD A (Mar 13)
- Re: Visa Puts Heartland on Probation Over Breach Clint P. Garrison (Mar 13)
- Re: Visa Puts Heartland on Probation Over Breach Susan Orr Consulting (Mar 13)
- Re: Visa Puts Heartland on Probation Over Breach DAIL, WILLARD A (Mar 13)
- Re: Visa Puts Heartland on Probation Over Breach Jamie C. Pole (Mar 13)
- Re: Visa Puts Heartland on Probation Over Breach A K (Mar 13)
- Re: Visa Puts Heartland on Probation Over Breach Jamie C. Pole (Mar 13)