Re: The PCI sky *isn't* falling!

[nick hatch <nicholas.hatch () gmail com>]

On Mon, Mar 23, 2009 at 12:15 PM, Rob, grandpa of Ryan, Trevor, Devon &
Hannah <rMslade () shaw ca> wrote:

> "The officer added that breaches such as the ones at Heartland Payment
> Systems
> Inc. and RBS WorldPay Inc. were shaping public opinion and obscuring what
> otherwise has been `substantial progress' on the security front over the
> past year."
>
> How *dare* the news shape public opinion?
What really frustrates me about the Heartland breach is the lack of
transparency in disclosure.

Their original press release had statements like "Last week, we learned we
were the victim of a security breach within our
processing system in 2008." and ""We found evidence of an intrusion last
week and immediately notified federal law enforcement officials as well as
the card brands," This should be read as "we finally found where the breach
was, months after we were originally notified. Our CEO has been selling off
stock in the meantime." (Heartland was notified of suspicious activity
statistically linked to them by Visa on October 28th(!) 2008. [1])

I've heard plenty of rumors that the Heartland breach was an inside job from
those a bit closer to the know. It would seem to make sense.

Until the details are known in full, it seems a bit premature to debate the
effectiveness of PCI and use Heartland as evidence one way or another. Even
if the transactions were encrypted on the wire, a lack of internal controls
could still allow a theoretical insider to run amok.

-Nick


[1] http://advice.cio.com/paisano1/heartland_now_under_sec_investigation

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.