Re: [Dataloss] Study: About One-Fifth ofBreached Entities Were PCI-Compliant

["Al" <macwheel99 () wowway com>]

If you read the actual Verizon reports, which come out at least annually,
Verizon is in the business of serving the needs of their customer clients.
We do not have a directory of their customers, other than inference from
someone whose e-mail address has the word "verizon" in there.
They do not reveal statistics like "We have X million customers of which X
thousand were knowingly breached."
They will not reveal any info that could identify which of their customers
were knowingly breached.
They do not have data on businesses that are not their customers.

Their analysis focused primarily on what was wrong, which contributed to the
known breach at some company, and how easy it would have been to prevent it.
Only secondarily did they inquire if the company was they officially in PCI
compliance at the time of the known breach.  So for example, some site might
be in PCI compliance at one micro-second, then a second later they get
breached.  This means either:
*       The PCI is good stuff, they lost their security, then got breached;
*       There is something not in PCI standards that should be;
*       The PCI audit was flawed;
*       Someone is not being truthful.

It is evident to me from Verizon reports that some of the so-called
PCI-compliant places that were breached, had either flawed audits, or
someone is lying.  This is irrespective of whether there's room for
improvement in PCI standards.

I kept saying "knowingly breached" because in lots of cases a company did
not reveal to the world that it got breached, instead it was processing some
data for some 3rd party, like credit card info, and theft of that data was
traced back to a company that officially did not know anything was wrong.

So what are the odds that any company that has not yet been discovered, by
3rd party thefts, to be in breach condition?

-
Al Mac

-----Original Message-----
From: dataloss-discuss-bounces () datalossdb org
[mailto:dataloss-discuss-bounces () datalossdb org] On Behalf Of Chris Walsh
Sent: Friday, August 27, 2010 8:41 AM
To: Jake Kouns; dataloss-discuss
Subject: Re: [Dataloss-discuss] [Dataloss] Study: About One-Fifth ofBreached
Entities Were PCI-Compliant

I'd be extremely interested in:

1) How the population for this survey is defined
2) What their sample frame is
3) The response rate


On Aug 7, 2010, at 10:20 AM, Jake Kouns wrote:
> Verizon Business is in the midst of doing a similar survey of
> companies subject to PCI that have not been breached. 
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php
No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 9.0.851 / Virus Database: 271.1.1/3101 - Release Date: 08/29/10
13:34:00

_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php