Re: reporting a web site breach

["Email Cash" <and.email.cash () gmail com>]

A reporter friend of mine says he contacted Jason. He went after Chase
bank for putting their login prompt on the non-https homepage, and
they had https up within a week. Hopefully he can do something here,
too.


On 10/16/08, Jason Ross <algorythm () gmail com> wrote:
> On Thu, Oct 16, 2008 at 7:46 PM, David Glosser <david.glosser () gmail com> wrote:
>  >
>  > But beyond the "contact us" page, I didn't see any information on the
>  > pcisecuritystandards web site.
>  > Aren't they just a standards organization?
>  >
>
>
> Yes. As they define themselves:
>
>  "PCI SSC is the standards body that maintains the payment card
>  industry standards, including the PCI DSS and PA-DSS."
>    (from the Audit Procedures guide (PDF):
>  http://selfservice.talisma.com/display/2n/kb/article.aspx?aid=5767&var=1)
>
>  A couple of other relevant quotes from the PCI (found by submitting
>  the question of whom to contact about violations, they display a
>  "before you submit this, are any of these links helpful" list. I'm
>  unsure what the connection between the PCI site and the server/domain
>  these questions are hosted at is, but the PCI site linked to these so
>  I view them as 'official', YMMV. Note to, I've formatted the text. The
>  initial text was all jumbled together making it tough to read. Click
>  the links if you wish to see them in their original horribleness ;-)
>
>  "What are the consequences to my business if I do not comply with the PCI DSS?
>
>  The PCI Security Standards Council encourages all businesses that
>  store payment account data to comply with the PCI DSS to help lower
>  their brand and financial risks associated with account payment data
>  compromises. The PCI Security Standards Council does not manage
>  compliance programs and does not impose any consequences for
>  non-compliance.
>
>  Individual payment brands, however, may have their own compliance
>  initiatives, including financial or operational consequences to
>  certain businesses that are not compliant. "
>    - http://selfservice.talisma.com/display/2n/kb/article.aspx?aid=5319&var=1
>
>
>  "What are the fines and penalties assessed to companies for
>  non-compliance with the PCI DSS?
>  Any fines and/or penalties associated with non-compliance with the PCI
>  DSS and/or confirmed security breaches are defined by each of the
>  payment card brands.
>
>  For more specific information, please contact the individual payment
>  card brands.
>  For a better understanding of roles and responsibilities, please refer to:
>
>  American Express - DSOP http://www.americanexpress.com/datasecurity
>  Email: American.Express.Data.Security () aexp com
>  Discover - DISC
>  http://www.discovernetwork.com/resources/data/data_security.html
>  Email: askdatasecurity () discoverfinancial com
>  JCB - TBD http://www.jcb-global.com/english/pci/index.html Email:
>  riskmanagement () jcbati com
>  MasterCard – Site Data Protection (SDP) http://www.mastercard.com/sdp
>  Email: sdp () mastercard com
>  Visa - Account Information Security (AIS) & Cardholder Information
>  Security Program (CISP)
>  Visa AIS - Asia Pacific
>  http://www.visa-asia.com/ap/sea/merchants/riskmgmt/ais.shtml
>  Visa AIS - Canada www.visa.ca/ais
>  Visa AIS - Central Europe, Middle East, & Africa
>  http://www.visacemea.com/ac/ais/data_security.jsp Email:
>  CemeaAIS () visa com
>  Visa AIS - Europe http://www.visaeurope.com/aboutvisa/security/ais
>  Email: datasecuritystandards () visa com
>  Visa AIS - Latin America & Caribbean www.visalatam.com/ais Email:
>  aislac () visa com
>  Visa CISP - United States http://www.visa.com/cisp Email: cisp () visa com. "
>    - http://selfservice.talisma.com/display/2n/kb/article.aspx?aid=5376&var=1
>
>
>  So, in other words, as a few have already stated, contacting the PCI
>  SSC for violations is unlikely to be helpful, and contacting the
>  individual card brand is encouraged.
>
>  --
>
> Jason

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------