Full Disclosure mailing list archives
Re: Compliance Is Wasted Money, Study Finds
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Tue, 27 Apr 2010 16:34:45 -0500
--On Tuesday, April 27, 2010 13:37:39 -0700 J Roger <securityhocus () gmail com> wrote:
Is PCI Compliance a giant bluff from VISA? Have any large companies ever been forced to stop processing CCs because they failed to be PCI compliant?
They don't force you to stop processing. They fine you. VISA assessed $3.3 million in fines in 2005 and $4.6 million in 2007 alone.
According to the Verizon report 81% of attack victims were not PCI compliant. Ok then how is that they were still processing the CCs that became compromised?
You *do* understand that if the card vendors refuse to process cards they are arbitrarily shutting down a business, right? So, when someone is breached, they're going to be fined and expected to get into compliance. If they refuse or continue to have breaches, then the card vendors might refuse to accept their business any more. But one breach is not enough to put a company out of business. I doubt VISA could win that case in court.
Or does VISA come in after a large company has PCI data breached and then claim "oh but they're not compliant because of X that wasn't correctly identified during their last audit"? How many of those breached companies were PCI certified at the time of the breach only to have it taken away post mortem.
PCI compliance is determined by approved third party assessors, not by the card vendors themselves. If a compliant company is breached, the fines have a cap of $500,000. There is no cap for non-compliant merchants. Non-compliant merchants are also charged a higher interchange rate until they come into compliance. PCI compliance isn't something you can have "taken away". You're either compliant or your not, as determined by the third party assessor. And you can be compliant today and fail tomorrow. All you need is for one element to go out of compliance for some reason. In 2007 VISA began fining their acquirers between $5000 and $25,000 a month for every merchant they serviced that wasn't compliant. (The acquirers, in general, pass those fines on to the offending merchant.) In 2009 Ponemon surveyed the PCI landscape and found that 22% of companies were in full complaince with PCI while another 53% were either mostly or partly compliant. I suspect the fully compliant merchants were probably all or mostly all Tier 1. 79% of the companies surveyed had experienced at least on data breach that required disclosure. So even among compliant or partially compliant businesses there were a significant number of reportable breaches. If you think this is laughable, then strap on your super security man suit and start fixing it. "Doing" security is a lot harder, at the enterprise level, than people realize. For example, try identifying and remediating all the vulnerable versions of Java in your enterprise. I'm betting you can't. I recently checked, and the average workstation had more than fifteen (15) separate versions of Java installed, most of which are vulnerable, and none of which can be updated without breaking the application they were installed with. Better yet, try getting a funtioning version of antivirus that is properly updating installed on 100% of your assets. I'll bet you can't do that either. (Note I said 100%, not 99% or 98%.) It's damn near impossible to maintain every single computer in an enterprise, without exception, to a secure standard 100% of the time and have all of them functioning without problems 100% of the time. Until software vendors get their act together and start building security in from the beginning of development, companies will continue to experience breaches. Even in a perfect world of zero vulnerable software packages you'll still have to deal with the human element, which is demonstrably harder to overcome. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Compliance Is Wasted Money, Study Finds, (continued)
- Re: Compliance Is Wasted Money, Study Finds Christian Sciberras (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds Mike Hale (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds Christian Sciberras (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds Mike Hale (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds Christian Sciberras (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds Mike Hale (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds Christian Sciberras (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds Michael Holstein (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds J Roger (Apr 27)
- Compliance Is Wasted Money, Study Finds J Roger (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds Paul Schmehl (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds Michael Holstein (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds Valdis . Kletnieks (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds Pieter de Boer (Apr 26)
- Re: Compliance Is Wasted Money, Study Finds Valdis . Kletnieks (Apr 26)
- Re: Compliance Is Wasted Money, Study Finds Shaqe Wan (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds Shaqe Wan (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds Michel Messerschmidt (Apr 26)
- Re: Compliance Is Wasted Money, Study Finds Mike Hale (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds Lyal Collins (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds Christian Sciberras (Apr 27)