Re: Visa/PCI, care to spin-doctor this crap?

[Adam Shostack <adam () homeport org>]

Auditing can and should find deception by firms.  That is one of the
goals of an audit.

Auditors do this by sampling the claims made.  If you say you have X
dollars in income in a day, the auditor might look at the bank account
and see the money coming in in a day, and trace some of it through the
PO/deliver/invoice process.

On the IT side, if you claim to have a patching process in place, you
follow a patch from the vendor to the deployment, see if the logs are
checked, and then manually validate that the patches are where they're
expected to be.

If detecting fraud is not a goal of audits, what is the goal of
audits?

If you object that this is too expensive, consider the alternative,
which seems to be playing itself out now.

Adam

On Fri, Feb 27, 2009 at 10:16:12AM -0800, Kenton Hoover wrote:
| QSA contracts with clients tend to limit liability rather strongly. It would
| be foolish not to do so. For example, the QSA can't manage a situation where
| they are being deliberately lied to by their client as part of a program of
| deception -- no auditing standard can.
| 
| 
| On 27/02/2009 08:14 PT, "Clint P. Garrison" <garrison.clint () gmail com>
| wrote:
| 
| > That is true. It all comes down to "Safe Harbor". You have to indicate
| > the date the assessment started and when it was complete in the ROC.
| > It's a PCI DSS requirement for the ROC. (See the Executive Summary of
| > the PCI DSS) That is the so called "snapshot" in time. If the QSA
| > reports that during that time period the merchant was compliant and
| > the forensics investigation shows the breach occurred between those
| > dates, I would expect that would cause issues for the QSA. If the
| > breach occurs outside of that date range, it should be on the merchant
| > for not maintaining compliance.
| > 
| > Clint P. Garrison
| > 
| > 
| > On Fri, Feb 27, 2009 at 6:40 AM, B.K. DeLong <bkdelong () pobox com> wrote:
| >> That's been a long time question of mine. Have any merchants been
| >> successful in transfering risk and accountability for PCI Compliance
| >> back to the auditor via their contract?
| >> 
| >> But likewise, that audit is good for only that finite point in time,
| >> correct? As soon as changes start being made, it becomes non
| >> compliant. Especially if you have policy not strictly followed or
| >> rigorously enforced.
| >> 
| >> On 2/26/09, Michael Hill, CITRMS <mhill () idtexperts com> wrote:
| >>> Does Trustwave have any responsibility and/or liability?
| >>> 
| >>> 
| >>> 
| >>> Michael Hill, CITRMS
| >>> www.idtheft101.net
| >>> www.identitytheftCompliance.net
| >>> 404-216-3751
| >>> 
| >>> 
| >>>> 
| >>>> Understanding a Data Compromise and How to Respond
| >>>> A Communications Guide for Issuers
| >>>> 
| >>>> http://cardnet.pcua.coop/cardspromo/Attachments/SecurityBreachGuide012009.p
| >>>> df
| >>>> 
| >>>> Setting the Standard in Security
| >>>> 
| >>>> Protecting cardholder data is the best front-line defense to prevent
| >>>> fraud, especially counterfeit and card-not-present types. In fact, its the
| >>>> single best defense for a merchant or processor to reduce its risk of
| >>>> being a victim of a data compromise. Since 2001, Visa has required that
| >>>> all merchants and service providers that store, process, or transmit Visa
| >>>> cardholder data adhere to the highest security standards. Today, no
| >>>> merchant or processor that has been compliant with the industrys data
| >>>> security requirements, known as the Payment Card Industry Data Security
| >>>> Standard (PCI DSS), has ever experienced a data compromise.
| >>>> 
| >>>> --
| >>>> 
| >>>> http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-servic
| >>>> e-providers.pdf
| >>>> 
| >>>> As Of 2/11/2009
| >>>> The companies listed below were validated as being PCI DSS compliant by a
| >>>> QSA as of the "VALIDATION DATE".
| >>>> 
| >>>> Heartland Payment Systems*  April 30, 2008      Payment Processing
| >>>> Trustwave
| >>>> RBS WorldPay Inc.*      July 31, 2008       Merchant Payment Services
| >>>> Trustwave
| >>>> 
| >>>> --
| >>>> 
| >>>> Ok Visa, clear this up for us little people (the customers). On one hand
| >>>> you say that no PCI DSS compliant vendor has suffered a breach. On the
| >>>> other hand you confirm that two PCI DSS compliant vendors have suffered
| >>>> breaches. Is this where you tell us that "PCI is a snapshot in time"? If
| >>>> so, then there is absolutely no value to PCI compliance as an organization
| >>>> gets their colored seal of approval and before they can frame it, they are
| >>>> technically not PCI compliant any more. The 'snapshot' excuse means that
| >>>> no organization is really PCI compliant; by the time you update that PDF,
| >>>> they aren't any more.
| >>>> 
| >>>> So that means it is more than a 'snapshot' and that organizations *are*
| >>>> PCI DSS compliant for X days/weeks/months after the ASV/QSV walks out the
| >>>> door. Fill in the X for us Visa, because it sure seems to many of us that
| >>>> X reaches the expiration date shortly before a breach becomes public.
| >>>> Trying to use pedestrian wording to confuse the customers is disingenious
| >>>> at best, criminally negligent at worst. Either the companies are PCI
| >>>> compliant by your standards or they aren't, and that timeframe of
| >>>> compliance should be very clear to the (little) people affected.
| >>>> 
| >>>> Man up Visa, which is it? PCI DSS compliant vendors have been breached, or
| >>>> PCI DSS compliance is a fairy tale notion that has no real world
| >>>> application or value. Sorry, no 'c' choice here.
| >>> 
| >>> _______________________________________________
| >>> Dataloss Mailing List (dataloss () datalossdb org)
| >>> 
| >>> CREDANT Technologies, a leader in data security, offers advanced data
| >>> encryption solutions.
| >>> Protect sensitive data on desktops, laptops, smartphones and USB sticks
| >>> transparently
| >>> across your enterprise to ensure regulatory compliance.
| >>> http://www.credant.com/stopdataloss
| >>> 
| >> 
| >> --
| >> Sent from my mobile device
| >> 
| >> B.K. DeLong (K3GRN)
| >> bkdelong () pobox com
| >> +1.617.797.8471
| >> 
| >> http://www.wkdelong.org                    Family.
| >> http://www.ianetsec.com                    Work.
| >> http://bkdelong.livejournal.com             Life.
| >> 
| >> 
| >> PGP Fingerprint:
| >> 38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE
| >> 
| >> FOAF:
| >> http://foaf.brain-stream.org
| >> _______________________________________________
| >> Dataloss Mailing List (dataloss () datalossdb org)
| >> 
| >> CREDANT Technologies, a leader in data security, offers advanced data
| >> encryption solutions.
| >> Protect sensitive data on desktops, laptops, smartphones and USB sticks
| >> transparently
| >> across your enterprise to ensure regulatory compliance.
| >> http://www.credant.com/stopdataloss
| >> 
| > _______________________________________________
| > Dataloss Mailing List (dataloss () datalossdb org)
| > 
| > CREDANT Technologies, a leader in data security, offers advanced data
| > encryption solutions.
| > Protect sensitive data on desktops, laptops, smartphones and USB sticks
| > transparently 
| > across your enterprise to ensure regulatory compliance.
| > http://www.credant.com/stopdataloss
| 
| _______________________________________________
| Dataloss Mailing List (dataloss () datalossdb org)
| 
| CREDANT Technologies, a leader in data security, offers advanced data encryption solutions.
| Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently 
| across your enterprise to ensure regulatory compliance.
| http://www.credant.com/stopdataloss

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

CREDANT Technologies, a leader in data security, offers advanced data encryption solutions.
Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently 
across your enterprise to ensure regulatory compliance.
http://www.credant.com/stopdataloss