Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Target, PCI Auditor Trustwave Sued By Banks
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
CJDTX
50%
50%
CJDTX,
User Rank: Apprentice
4/30/2015 | 12:19:40 PM
Re: Compliance Does Not Mean Hack-Proof
No merchant has EVER been breached that was PCI compliant, just ask the council!  Every breached merchant either the QSA missed something, rendering the compliance invalid, or something changed after they were certified as compliant.  Since PCI is a point in time audit, you are really only compliant for the day your AOC is issued.
jlindema
50%
50%
jlindema,
User Rank: Apprentice
3/28/2014 | 6:55:29 PM
card brands and banks have failed to invest sufficient resources...
Bingo!
I have no sympathy for card-issuing banks.
I believe banks should bear the costs of advancing card technology, NOT the merchants.

Skimming fraud could be all but eliminated, if the issuing banks were to embrace technology that's existed for several (over 7) years. Just one of the technologies that could be used are 'dynamically' created or changing card numbers that are only valid for one time and by one merchant. This is the only solution that I know of that works for BOTH card-not-present and card-present transactions. Chip and PIN is a great step forward, but ONLY addresses the problem when the card is present.

One perceived roadblock to a wider acceptance of "one time use" credit card technology is that merchant Point-of-Sale (POS) systems would need to change significantly, and therefore it's "too costly". This is not entirely true.

Check out a company named Dynamics Inc. based in Pennsylvania that has a product that can encode [one-time-use card] numbers onto the magnetic stripe(s) on the back of the card. This enables standard, existing POS card readers to work seamlessly with the newer technology.
A card number that is only good for one transaction at a time, cannot be [re-]sold by criminals.

Again- whether or not card data is stored at (or scrapped from) the POS terminal is irrelevant, if the data itself (the card number) changes with every transaction.

See Dynamics Inc.'s webpage (/Corporate/Products) and their "Dynamics Inc. - Enabling Payments 2.0®" Dynamic Credit Card via archive.org [http://www.dynamicsinc.com/Corporate/products_dynamic_cc.php]
Here: http://bit.ly/19fbXKb
(last archived by archive.org on Oct. 1st, 2013).

Target, Neiman Marcus, Michael's, Aaron Brothers, every merchant, and every consumer that has ever suffered financial, personal-data, or identity theft losses due to the inherent security flaws in (U.S.) credit card transactions, should hold the Payment Card Industry (including issuing banks) primarily responsible.
marter25
50%
50%
marter25,
User Rank: Apprentice
3/28/2014 | 2:13:44 PM
Re: Compliant vs. non-compliant is how hard you look
However, this is not Trustwave's first rodeo. A few years back a payment processor got breached and Trustwave was their QSA as well.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
3/27/2014 | 6:36:43 PM
PCI Security Council Weighs In
I just heard back from Bob Russo, general manager of the PCI Security Standards Council, about the organization's POV on the lawsuit filed against Trustwave and Target. Here's what he says: 

As the Council does not conduct PCI compliance assessments, we cannot speculate on any specific assessment or any related lawsuits or ongoing investigations. The Council reminds organizations that a compliance assessment is just a snapshot in time and that passing a PCI compliance assessment at one point in time does not guarantee the ongoing security of your business or data. PCI Standards are a strong security baseline to help businesses prevent, defend and detect attacks on their systems with a layered approach. But just like a lock is no good if you forget to lock it, these controls are only effective if they are implemented properly and as a part of an everyday, ongoing business process.

Ed Moyle
100%
0%
Ed Moyle,
User Rank: Apprentice
3/27/2014 | 4:45:11 PM
Compliant vs. non-compliant is how hard you look
Back in the day when I was a QSA, I would tell folks that the difference between a compliant environment and a non-compliant one was in how hard you look.  

What I mean by that is that any large cardholder data environment is going to have some areas of non-compliance somewhere.  For example, consider a retail chain with 4000 locations.  Assuming that every location is going to be compliant with 100% of the standard is a recipe for problems.  To assess where the problems are, it's not workable economically (for either the retailer or the assessor) to do an assessment of every retail location, so you have to pick and choose what's in scope of the assessment vs. what isn't.  You're always picking and choosing: what machines you look at, what accounts you review, what stores you visit, etc.    

Two factors influence how realistic the assessment is: (1) how skilled the assessor is and (2) how much the retailer lies to you about what's really going on (because this happens more than you'd think).  For a #1 problem, holding the assessor's feet to the fire makes sense to me, but for #2 it seems like the assessor's not really the issue.  
Zimdog
50%
50%
Zimdog,
User Rank: Apprentice
3/27/2014 | 12:09:21 PM
Re: Should PCI auditors be prohibited from selling security services?
It's rediculous to allow an assessor to provide remediation or other services to a client they've assessed.  It's a complete conflict of interest.
Drew Conry-Murray
100%
0%
Drew Conry-Murray,
User Rank: Ninja
3/27/2014 | 10:29:46 AM
Re: Compliance Does Not Mean Hack-Proof
If the card brands really belive in PCI, I'd love to see them put some money on the line with an offer like this: if you are certified PCI-compliant and then get breached, the card brands will assume a share of the liability.

There's nothing fundamentally wrong with the PCI standards. The problem is that since PCI first came out, the PCI organization and the card brands have insisted that no compliant organization has ever been breached--in essence, saying that PCI compliance is equivalent to being breach-proof. Clearly that's nonsense: compliance does not equal perfect security, and it's a mistake to conflate those ideas.

The card brands get to set the rules for retailers via PCI, but there are no penalties for the card brands if those rules fail. It's the perfect catch-22: if you are certified compliant, and then subsequently breached, you must not have been truly compliant, because compliant companies don't get breached. Crazy.
macker490
50%
50%
macker490,
User Rank: Ninja
3/27/2014 | 9:36:47 AM
two rules of security
there are two rules to computer security:

1. the host o/s must not allow itself to be modified by the actions of a running application program.

2. the customer is responsible for the activities of the application programs running on its systems

 

i.e. oem is responsible for building secure operating software. customer is responsible for using software properly.   same as we do for cars and many other products for which we have established product liability.

it's time for product liability in software.

don't laugh at rule 1: the means for doing that have been built into x86 since 80386 when protected mode was added to the x86.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
3/27/2014 | 7:51:24 AM
Re: Compliance Does Not Mean Hack-Proof
That's a fantastic idea. Hold card brands accountable for the security of the payment card infrastructure, as well as all related processing. And imagine if Visa had to prove that its payment processing black boxes and back-end infrastructure were PCI-compliant? That would be a poetic turn of events.
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
3/27/2014 | 7:42:07 AM
Re: Compliance Does Not Mean Hack-Proof
Fallout from the Target breach already is speeding up the adoption of chip & pin (via Target), so maybe this legal case will spur debate and possible change with some of these PCI enforcement holes noted by Gartner's Litan.
Page 1 / 2   >   >>


COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7700
PUBLISHED: 2020-08-14
All versions of phpjs are vulnerable to Prototype Pollution via parse_str.
CVE-2020-7701
PUBLISHED: 2020-08-14
madlib-object-utils before 0.1.7 is vulnerable to Prototype Pollution via setValue.
CVE-2020-9228
PUBLISHED: 2020-08-14
FusionCompute 8.0.0 has an information disclosure vulnerability. Due to the properly protection of certain information, attackers may exploit this vulnerability to obtain certain information.
CVE-2020-9229
PUBLISHED: 2020-08-14
FusionCompute 8.0.0 has an information disclosure vulnerability. Due to the properly protection of certain information, attackers may exploit this vulnerability to obtain certain information.
CVE-2019-19643
PUBLISHED: 2020-08-14
ise smart connect KNX Vaillant 1.2.839 contain a Denial of Service.