Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Target, PCI Auditor Trustwave Sued By Banks
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
CJDTX
CJDTX,
User Rank: Apprentice
4/30/2015 | 12:19:40 PM
Re: Compliance Does Not Mean Hack-Proof
No merchant has EVER been breached that was PCI compliant, just ask the council!  Every breached merchant either the QSA missed something, rendering the compliance invalid, or something changed after they were certified as compliant.  Since PCI is a point in time audit, you are really only compliant for the day your AOC is issued.
jlindema
jlindema,
User Rank: Apprentice
3/28/2014 | 6:55:29 PM
card brands and banks have failed to invest sufficient resources...
Bingo!
I have no sympathy for card-issuing banks.
I believe banks should bear the costs of advancing card technology, NOT the merchants.

Skimming fraud could be all but eliminated, if the issuing banks were to embrace technology that's existed for several (over 7) years. Just one of the technologies that could be used are 'dynamically' created or changing card numbers that are only valid for one time and by one merchant. This is the only solution that I know of that works for BOTH card-not-present and card-present transactions. Chip and PIN is a great step forward, but ONLY addresses the problem when the card is present.

One perceived roadblock to a wider acceptance of "one time use" credit card technology is that merchant Point-of-Sale (POS) systems would need to change significantly, and therefore it's "too costly". This is not entirely true.

Check out a company named Dynamics Inc. based in Pennsylvania that has a product that can encode [one-time-use card] numbers onto the magnetic stripe(s) on the back of the card. This enables standard, existing POS card readers to work seamlessly with the newer technology.
A card number that is only good for one transaction at a time, cannot be [re-]sold by criminals.

Again- whether or not card data is stored at (or scrapped from) the POS terminal is irrelevant, if the data itself (the card number) changes with every transaction.

See Dynamics Inc.'s webpage (/Corporate/Products) and their "Dynamics Inc. - Enabling Payments 2.0®" Dynamic Credit Card via archive.org [http://www.dynamicsinc.com/Corporate/products_dynamic_cc.php]
Here: http://bit.ly/19fbXKb
(last archived by archive.org on Oct. 1st, 2013).

Target, Neiman Marcus, Michael's, Aaron Brothers, every merchant, and every consumer that has ever suffered financial, personal-data, or identity theft losses due to the inherent security flaws in (U.S.) credit card transactions, should hold the Payment Card Industry (including issuing banks) primarily responsible.
marter25
marter25,
User Rank: Apprentice
3/28/2014 | 2:13:44 PM
Re: Compliant vs. non-compliant is how hard you look
However, this is not Trustwave's first rodeo. A few years back a payment processor got breached and Trustwave was their QSA as well.
Mathew
Mathew,
User Rank: Apprentice
3/27/2014 | 6:36:43 PM
PCI Security Council Weighs In
I just heard back from Bob Russo, general manager of the PCI Security Standards Council, about the organization's POV on the lawsuit filed against Trustwave and Target. Here's what he says: 

As the Council does not conduct PCI compliance assessments, we cannot speculate on any specific assessment or any related lawsuits or ongoing investigations. The Council reminds organizations that a compliance assessment is just a snapshot in time and that passing a PCI compliance assessment at one point in time does not guarantee the ongoing security of your business or data. PCI Standards are a strong security baseline to help businesses prevent, defend and detect attacks on their systems with a layered approach. But just like a lock is no good if you forget to lock it, these controls are only effective if they are implemented properly and as a part of an everyday, ongoing business process.

Ed Moyle
Ed Moyle,
User Rank: Apprentice
3/27/2014 | 4:45:11 PM
Compliant vs. non-compliant is how hard you look
Back in the day when I was a QSA, I would tell folks that the difference between a compliant environment and a non-compliant one was in how hard you look.  

What I mean by that is that any large cardholder data environment is going to have some areas of non-compliance somewhere.  For example, consider a retail chain with 4000 locations.  Assuming that every location is going to be compliant with 100% of the standard is a recipe for problems.  To assess where the problems are, it's not workable economically (for either the retailer or the assessor) to do an assessment of every retail location, so you have to pick and choose what's in scope of the assessment vs. what isn't.  You're always picking and choosing: what machines you look at, what accounts you review, what stores you visit, etc.    

Two factors influence how realistic the assessment is: (1) how skilled the assessor is and (2) how much the retailer lies to you about what's really going on (because this happens more than you'd think).  For a #1 problem, holding the assessor's feet to the fire makes sense to me, but for #2 it seems like the assessor's not really the issue.  
Zimdog
Zimdog,
User Rank: Apprentice
3/27/2014 | 12:09:21 PM
Re: Should PCI auditors be prohibited from selling security services?
It's rediculous to allow an assessor to provide remediation or other services to a client they've assessed.  It's a complete conflict of interest.
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
3/27/2014 | 10:29:46 AM
Re: Compliance Does Not Mean Hack-Proof
If the card brands really belive in PCI, I'd love to see them put some money on the line with an offer like this: if you are certified PCI-compliant and then get breached, the card brands will assume a share of the liability.

There's nothing fundamentally wrong with the PCI standards. The problem is that since PCI first came out, the PCI organization and the card brands have insisted that no compliant organization has ever been breached--in essence, saying that PCI compliance is equivalent to being breach-proof. Clearly that's nonsense: compliance does not equal perfect security, and it's a mistake to conflate those ideas.

The card brands get to set the rules for retailers via PCI, but there are no penalties for the card brands if those rules fail. It's the perfect catch-22: if you are certified compliant, and then subsequently breached, you must not have been truly compliant, because compliant companies don't get breached. Crazy.
macker490
macker490,
User Rank: Ninja
3/27/2014 | 9:36:47 AM
two rules of security
there are two rules to computer security:

1. the host o/s must not allow itself to be modified by the actions of a running application program.

2. the customer is responsible for the activities of the application programs running on its systems

 

i.e. oem is responsible for building secure operating software. customer is responsible for using software properly.   same as we do for cars and many other products for which we have established product liability.

it's time for product liability in software.

don't laugh at rule 1: the means for doing that have been built into x86 since 80386 when protected mode was added to the x86.
Mathew
Mathew,
User Rank: Apprentice
3/27/2014 | 7:51:24 AM
Re: Compliance Does Not Mean Hack-Proof
That's a fantastic idea. Hold card brands accountable for the security of the payment card infrastructure, as well as all related processing. And imagine if Visa had to prove that its payment processing black boxes and back-end infrastructure were PCI-compliant? That would be a poetic turn of events.
kjhiggins
kjhiggins,
User Rank: Strategist
3/27/2014 | 7:42:07 AM
Re: Compliance Does Not Mean Hack-Proof
Fallout from the Target breach already is speeding up the adoption of chip & pin (via Target), so maybe this legal case will spur debate and possible change with some of these PCI enforcement holes noted by Gartner's Litan.
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Incorporating a Prevention Mindset into Threat Detection and Response
Threat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time. The report covers areas enterprises should focus on: What positive response looks like. Improving security hygiene. Combining preventive actions with red team efforts.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-1678
PUBLISHED: 2022-05-25
An issue was discovered in the Linux Kernel from 4.18 to 4.19, an improper update of sock reference in TCP pacing can lead to memory/netns leak, which can be used by remote clients.
CVE-2021-32966
PUBLISHED: 2022-05-25
Philips Interoperability Solution XDS versions 2.5 through 3.11 and 2018-1 through 2021-1 are vulnerable to clear text transmission of sensitive information when configured to use LDAP via TLS and where the domain controller returns LDAP referrals, which may allow an attacker to remotely read LDAP s...
CVE-2021-32989
PUBLISHED: 2022-05-25
When a non-existent resource is requested, the LCDS LAquis SCADA application (version 4.3.1.1011 and prior) returns error messages which may allow reflected cross-site scripting.
CVE-2021-32997
PUBLISHED: 2022-05-25
The affected Baker Hughes Bentley Nevada products (3500 System 1 6.x, Part No. 3060/00 versions 6.98 and prior, 3500 System 1, Part No. 3071/xx & 3072/xx versions 21.1 HF1 and prior, 3500 Rack Configuration, Part No. 129133-01 versions 6.4 and prior, and 3500/22M Firmware, Part No. 288055-01 ver...
CVE-2021-35487
PUBLISHED: 2022-05-25
Nokia Broadcast Message Center through 11.1.0 allows an authenticated user to perform a Boolean Blind SQL Injection attack on the endpoint /owui/block/send-receive-updates (for the Manage Alerts page) via the extIdentifier HTTP POST parameter. This allows an attacker to obtain the database user, dat...