BreachExchange mailing list archives
Re: Best Western Response
From: "DAIL, WILLARD A" <ADAIL () sunocoinc com>
Date: Tue, 26 Aug 2008 15:55:11 -0400
If you are not storing track data or other "prohibited information", you are not using a known vulnerable payment application (or it is an internally developed application), and you are encrypting your information store, you should pass a PCI audit (or at least this should not be the reason you fail one). PCI is a minimum baseline for compliance, and it is a risk-based program. It is in no way, shape, or form, a comprehensive set of information security controls. It's certainly an improvement over nothing, but it is not a mature program in terms of technology (which morphs at astonishing rates) or level of implementation across the entire business sector. Various state laws prohibit the retention of Private Personally Identifiable Information (without a business need) as does the European Principles on Privacy. Still, which agency or firm audits that information prior to a breach? It looks as if the parent company is International, so they'll probably be speaking with EU privacy commissioners, but under the US framework, if a state has the "business need" caveat, who decides what constitutes business need? Most likely it would be the business that decides, and then its decision is validated or repudiated by the civil legal system. Technical details are always lacking in press articles, but it sounds like, rather than a credit card cloning endeavor (which is PCI's focus), this breach is more about full identity theft and the credit card numbers are secondary to the incident, rather than material, because the identity information in the databases would still be an issue sans the credit information (and unless more than the PAN was being stored, the full card # is mostly useless). -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of Harris, Michael C. Sent: Tuesday, August 26, 2008 1:42 PM To: dataloss () attrition org Cc: macwheel99 () wowway com Subject: Re: [Dataloss] Best Western Response Importance: Low There is something missing here, that doesn't true out with the expectations in the PCI standard for a level one payer. Smaller mom and pop level four establishment may slip by, but the mandatory audits of level one folks should be forcing some change across the hospitality industry... Perhaps slowly. It should have been identified as an audit point with a remediation plan in the quarterly or yearly PCI audit. So who was the last quarterly PCI auditor for Best Western? Is PCI that broken or ignored? Level One 6,000,000 transactions per year Annual On-site PCI Data Security Assessment and Quarterly Network Scan Qualified Security Assessor or Internal Audit if signed by Officer of the company Approved Scanning Vendor Level Two 1,000,000 to 6,000,000 transactions Annual On-site PCI Data Security Assessment and Quarterly Network Scan Merchant Approved Scanning Vendor This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- Best Western Response jkouns (Aug 24)
- Re: Best Western Response Domonick T. Weaver (Aug 25)
- <Possible follow-ups>
- Re: Best Western Response *Hobbit* (Aug 25)
- Re: Best Western Response Tom Mahoney (Aug 25)
- Re: Best Western Response macwheel99 (Aug 26)
- Re: Best Western Response Harris, Michael C. (Aug 26)
- Re: Best Western Response DAIL, WILLARD A (Aug 26)
- Re: Best Western Response Jamie C. Pole (Aug 26)
- Re: Best Western Response security curmudgeon (Aug 26)
- Re: Best Western Response Michael Hill, CITRMS (Aug 26)
- Re: Best Western Response Jamie C. Pole (Aug 26)
- Re: Best Western Response Daniel Clemens (Aug 26)
- Re: Best Western Response Jamie C. Pole (Aug 26)
- Re: Best Western Response security curmudgeon (Aug 26)
- Re: Best Western Response Jeffrey Walton (Aug 26)