BreachExchange mailing list archives
Re: Visa/PCI, care to spin-doctor this crap?
From: Kenton Hoover <kenton_hoover () symantec com>
Date: Fri, 27 Feb 2009 10:16:12 -0800
QSA contracts with clients tend to limit liability rather strongly. It would be foolish not to do so. For example, the QSA can't manage a situation where they are being deliberately lied to by their client as part of a program of deception -- no auditing standard can. On 27/02/2009 08:14 PT, "Clint P. Garrison" <garrison.clint () gmail com> wrote:
That is true. It all comes down to "Safe Harbor". You have to indicate the date the assessment started and when it was complete in the ROC. It's a PCI DSS requirement for the ROC. (See the Executive Summary of the PCI DSS) That is the so called "snapshot" in time. If the QSA reports that during that time period the merchant was compliant and the forensics investigation shows the breach occurred between those dates, I would expect that would cause issues for the QSA. If the breach occurs outside of that date range, it should be on the merchant for not maintaining compliance. Clint P. Garrison On Fri, Feb 27, 2009 at 6:40 AM, B.K. DeLong <bkdelong () pobox com> wrote:That's been a long time question of mine. Have any merchants been successful in transfering risk and accountability for PCI Compliance back to the auditor via their contract? But likewise, that audit is good for only that finite point in time, correct? As soon as changes start being made, it becomes non compliant. Especially if you have policy not strictly followed or rigorously enforced. On 2/26/09, Michael Hill, CITRMS <mhill () idtexperts com> wrote:Does Trustwave have any responsibility and/or liability? Michael Hill, CITRMS www.idtheft101.net www.identitytheftCompliance.net 404-216-3751Understanding a Data Compromise and How to Respond A Communications Guide for Issuers http://cardnet.pcua.coop/cardspromo/Attachments/SecurityBreachGuide012009.p df Setting the Standard in Security Protecting cardholder data is the best front-line defense to prevent fraud, especially counterfeit and card-not-present types. In fact, its the single best defense for a merchant or processor to reduce its risk of being a victim of a data compromise. Since 2001, Visa has required that all merchants and service providers that store, process, or transmit Visa cardholder data adhere to the highest security standards. Today, no merchant or processor that has been compliant with the industrys data security requirements, known as the Payment Card Industry Data Security Standard (PCI DSS), has ever experienced a data compromise. -- http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-servic e-providers.pdf As Of 2/11/2009 The companies listed below were validated as being PCI DSS compliant by a QSA as of the "VALIDATION DATE". Heartland Payment Systems* April 30, 2008 Payment Processing Trustwave RBS WorldPay Inc.* July 31, 2008 Merchant Payment Services Trustwave -- Ok Visa, clear this up for us little people (the customers). On one hand you say that no PCI DSS compliant vendor has suffered a breach. On the other hand you confirm that two PCI DSS compliant vendors have suffered breaches. Is this where you tell us that "PCI is a snapshot in time"? If so, then there is absolutely no value to PCI compliance as an organization gets their colored seal of approval and before they can frame it, they are technically not PCI compliant any more. The 'snapshot' excuse means that no organization is really PCI compliant; by the time you update that PDF, they aren't any more. So that means it is more than a 'snapshot' and that organizations *are* PCI DSS compliant for X days/weeks/months after the ASV/QSV walks out the door. Fill in the X for us Visa, because it sure seems to many of us that X reaches the expiration date shortly before a breach becomes public. Trying to use pedestrian wording to confuse the customers is disingenious at best, criminally negligent at worst. Either the companies are PCI compliant by your standards or they aren't, and that timeframe of compliance should be very clear to the (little) people affected. Man up Visa, which is it? PCI DSS compliant vendors have been breached, or PCI DSS compliance is a fairy tale notion that has no real world application or value. Sorry, no 'c' choice here._______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) CREDANT Technologies, a leader in data security, offers advanced data encryption solutions. Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently across your enterprise to ensure regulatory compliance. http://www.credant.com/stopdataloss-- Sent from my mobile device B.K. DeLong (K3GRN) bkdelong () pobox com +1.617.797.8471 http://www.wkdelong.org Family. http://www.ianetsec.com Work. http://bkdelong.livejournal.com Life. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) CREDANT Technologies, a leader in data security, offers advanced data encryption solutions. Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently across your enterprise to ensure regulatory compliance. http://www.credant.com/stopdataloss_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) CREDANT Technologies, a leader in data security, offers advanced data encryption solutions. Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently across your enterprise to ensure regulatory compliance. http://www.credant.com/stopdataloss
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) CREDANT Technologies, a leader in data security, offers advanced data encryption solutions. Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently across your enterprise to ensure regulatory compliance. http://www.credant.com/stopdataloss
Current thread:
- Visa/PCI, care to spin-doctor this crap? security curmudgeon (Feb 26)
- Re: Visa/PCI, care to spin-doctor this crap? Michael Hill, CITRMS (Feb 26)
- Re: Visa/PCI, care to spin-doctor this crap? macwheel99 (Feb 26)
- Re: Visa/PCI, care to spin-doctor this crap? B.K. DeLong (Feb 27)
- Re: Visa/PCI, care to spin-doctor this crap? Clint P. Garrison (Feb 27)
- Re: Visa/PCI, care to spin-doctor this crap? Kenton Hoover (Feb 27)
- Re: Visa/PCI, care to spin-doctor this crap? Adam Shostack (Feb 28)
- Re: Visa/PCI, care to spin-doctor this crap? B.K. DeLong (Feb 28)
- Re: Visa/PCI, care to spin-doctor this crap? Michael Hill, CITRMS (Feb 26)
- Re: Visa/PCI, care to spin-doctor this crap? James Ritchie, CISA, CISSP (Feb 27)
- Re: Visa/PCI, care to spin-doctor this crap? Susan Kohl (Feb 27)
- Re: Visa/PCI, care to spin-doctor this crap? halsey (Feb 27)
- Re: Visa/PCI, care to spin-doctor this crap? security curmudgeon (Feb 27)
- Re: Visa/PCI, care to spin-doctor this crap? Smith, Paul (Sr. Admin-InfoSec) (Feb 27)