BreachExchange mailing list archives
Visa/PCI, care to spin-doctor this crap?
From: security curmudgeon <jericho () attrition org>
Date: Thu, 26 Feb 2009 20:31:07 +0000 (UTC)
Understanding a Data Compromise and How to Respond A Communications Guide for Issuers http://cardnet.pcua.coop/cardspromo/Attachments/SecurityBreachGuide012009.pdf Setting the Standard in Security Protecting cardholder data is the best front-line defense to prevent fraud, especially counterfeit and card-not-present types. In fact, its the single best defense for a merchant or processor to reduce its risk of being a victim of a data compromise. Since 2001, Visa has required that all merchants and service providers that store, process, or transmit Visa cardholder data adhere to the highest security standards. Today, no merchant or processor that has been compliant with the industrys data security requirements, known as the Payment Card Industry Data Security Standard (PCI DSS), has ever experienced a data compromise. -- http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf As Of 2/11/2009 The companies listed below were validated as being PCI DSS compliant by a QSA as of the "VALIDATION DATE". Heartland Payment Systems* April 30, 2008 Payment Processing Trustwave RBS WorldPay Inc.* July 31, 2008 Merchant Payment Services Trustwave -- Ok Visa, clear this up for us little people (the customers). On one hand you say that no PCI DSS compliant vendor has suffered a breach. On the other hand you confirm that two PCI DSS compliant vendors have suffered breaches. Is this where you tell us that "PCI is a snapshot in time"? If so, then there is absolutely no value to PCI compliance as an organization gets their colored seal of approval and before they can frame it, they are technically not PCI compliant any more. The 'snapshot' excuse means that no organization is really PCI compliant; by the time you update that PDF, they aren't any more. So that means it is more than a 'snapshot' and that organizations *are* PCI DSS compliant for X days/weeks/months after the ASV/QSV walks out the door. Fill in the X for us Visa, because it sure seems to many of us that X reaches the expiration date shortly before a breach becomes public. Trying to use pedestrian wording to confuse the customers is disingenious at best, criminally negligent at worst. Either the companies are PCI compliant by your standards or they aren't, and that timeframe of compliance should be very clear to the (little) people affected. Man up Visa, which is it? PCI DSS compliant vendors have been breached, or PCI DSS compliance is a fairy tale notion that has no real world application or value. Sorry, no 'c' choice here. _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) CREDANT Technologies, a leader in data security, offers advanced data encryption solutions. Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently across your enterprise to ensure regulatory compliance. http://www.credant.com/stopdataloss
Current thread:
- Visa/PCI, care to spin-doctor this crap? security curmudgeon (Feb 26)
- Re: Visa/PCI, care to spin-doctor this crap? Michael Hill, CITRMS (Feb 26)
- Re: Visa/PCI, care to spin-doctor this crap? macwheel99 (Feb 26)
- Re: Visa/PCI, care to spin-doctor this crap? B.K. DeLong (Feb 27)
- Re: Visa/PCI, care to spin-doctor this crap? Clint P. Garrison (Feb 27)
- Re: Visa/PCI, care to spin-doctor this crap? Kenton Hoover (Feb 27)
- Re: Visa/PCI, care to spin-doctor this crap? Adam Shostack (Feb 28)
- Re: Visa/PCI, care to spin-doctor this crap? B.K. DeLong (Feb 28)
- Re: Visa/PCI, care to spin-doctor this crap? Michael Hill, CITRMS (Feb 26)
- Re: Visa/PCI, care to spin-doctor this crap? James Ritchie, CISA, CISSP (Feb 27)
- Re: Visa/PCI, care to spin-doctor this crap? Susan Kohl (Feb 27)
- Re: Visa/PCI, care to spin-doctor this crap? halsey (Feb 27)