Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Target, PCI Auditor Trustwave Sued By Banks
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
CJDTX
CJDTX,
User Rank: Apprentice
4/30/2015 | 12:19:40 PM
Re: Compliance Does Not Mean Hack-Proof
No merchant has EVER been breached that was PCI compliant, just ask the council!  Every breached merchant either the QSA missed something, rendering the compliance invalid, or something changed after they were certified as compliant.  Since PCI is a point in time audit, you are really only compliant for the day your AOC is issued.
jlindema
jlindema,
User Rank: Apprentice
3/28/2014 | 6:55:29 PM
card brands and banks have failed to invest sufficient resources...
Bingo!
I have no sympathy for card-issuing banks.
I believe banks should bear the costs of advancing card technology, NOT the merchants.

Skimming fraud could be all but eliminated, if the issuing banks were to embrace technology that's existed for several (over 7) years. Just one of the technologies that could be used are 'dynamically' created or changing card numbers that are only valid for one time and by one merchant. This is the only solution that I know of that works for BOTH card-not-present and card-present transactions. Chip and PIN is a great step forward, but ONLY addresses the problem when the card is present.

One perceived roadblock to a wider acceptance of "one time use" credit card technology is that merchant Point-of-Sale (POS) systems would need to change significantly, and therefore it's "too costly". This is not entirely true.

Check out a company named Dynamics Inc. based in Pennsylvania that has a product that can encode [one-time-use card] numbers onto the magnetic stripe(s) on the back of the card. This enables standard, existing POS card readers to work seamlessly with the newer technology.
A card number that is only good for one transaction at a time, cannot be [re-]sold by criminals.

Again- whether or not card data is stored at (or scrapped from) the POS terminal is irrelevant, if the data itself (the card number) changes with every transaction.

See Dynamics Inc.'s webpage (/Corporate/Products) and their "Dynamics Inc. - Enabling Payments 2.0®" Dynamic Credit Card via archive.org [http://www.dynamicsinc.com/Corporate/products_dynamic_cc.php]
Here: http://bit.ly/19fbXKb
(last archived by archive.org on Oct. 1st, 2013).

Target, Neiman Marcus, Michael's, Aaron Brothers, every merchant, and every consumer that has ever suffered financial, personal-data, or identity theft losses due to the inherent security flaws in (U.S.) credit card transactions, should hold the Payment Card Industry (including issuing banks) primarily responsible.
marter25
marter25,
User Rank: Apprentice
3/28/2014 | 2:13:44 PM
Re: Compliant vs. non-compliant is how hard you look
However, this is not Trustwave's first rodeo. A few years back a payment processor got breached and Trustwave was their QSA as well.
Mathew
Mathew,
User Rank: Apprentice
3/27/2014 | 6:36:43 PM
PCI Security Council Weighs In
I just heard back from Bob Russo, general manager of the PCI Security Standards Council, about the organization's POV on the lawsuit filed against Trustwave and Target. Here's what he says: 

As the Council does not conduct PCI compliance assessments, we cannot speculate on any specific assessment or any related lawsuits or ongoing investigations. The Council reminds organizations that a compliance assessment is just a snapshot in time and that passing a PCI compliance assessment at one point in time does not guarantee the ongoing security of your business or data. PCI Standards are a strong security baseline to help businesses prevent, defend and detect attacks on their systems with a layered approach. But just like a lock is no good if you forget to lock it, these controls are only effective if they are implemented properly and as a part of an everyday, ongoing business process.

Ed Moyle
Ed Moyle,
User Rank: Apprentice
3/27/2014 | 4:45:11 PM
Compliant vs. non-compliant is how hard you look
Back in the day when I was a QSA, I would tell folks that the difference between a compliant environment and a non-compliant one was in how hard you look.  

What I mean by that is that any large cardholder data environment is going to have some areas of non-compliance somewhere.  For example, consider a retail chain with 4000 locations.  Assuming that every location is going to be compliant with 100% of the standard is a recipe for problems.  To assess where the problems are, it's not workable economically (for either the retailer or the assessor) to do an assessment of every retail location, so you have to pick and choose what's in scope of the assessment vs. what isn't.  You're always picking and choosing: what machines you look at, what accounts you review, what stores you visit, etc.    

Two factors influence how realistic the assessment is: (1) how skilled the assessor is and (2) how much the retailer lies to you about what's really going on (because this happens more than you'd think).  For a #1 problem, holding the assessor's feet to the fire makes sense to me, but for #2 it seems like the assessor's not really the issue.  
Zimdog
Zimdog,
User Rank: Apprentice
3/27/2014 | 12:09:21 PM
Re: Should PCI auditors be prohibited from selling security services?
It's rediculous to allow an assessor to provide remediation or other services to a client they've assessed.  It's a complete conflict of interest.
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
3/27/2014 | 10:29:46 AM
Re: Compliance Does Not Mean Hack-Proof
If the card brands really belive in PCI, I'd love to see them put some money on the line with an offer like this: if you are certified PCI-compliant and then get breached, the card brands will assume a share of the liability.

There's nothing fundamentally wrong with the PCI standards. The problem is that since PCI first came out, the PCI organization and the card brands have insisted that no compliant organization has ever been breached--in essence, saying that PCI compliance is equivalent to being breach-proof. Clearly that's nonsense: compliance does not equal perfect security, and it's a mistake to conflate those ideas.

The card brands get to set the rules for retailers via PCI, but there are no penalties for the card brands if those rules fail. It's the perfect catch-22: if you are certified compliant, and then subsequently breached, you must not have been truly compliant, because compliant companies don't get breached. Crazy.
macker490
macker490,
User Rank: Ninja
3/27/2014 | 9:36:47 AM
two rules of security
there are two rules to computer security:

1. the host o/s must not allow itself to be modified by the actions of a running application program.

2. the customer is responsible for the activities of the application programs running on its systems

 

i.e. oem is responsible for building secure operating software. customer is responsible for using software properly.   same as we do for cars and many other products for which we have established product liability.

it's time for product liability in software.

don't laugh at rule 1: the means for doing that have been built into x86 since 80386 when protected mode was added to the x86.
Mathew
Mathew,
User Rank: Apprentice
3/27/2014 | 7:51:24 AM
Re: Compliance Does Not Mean Hack-Proof
That's a fantastic idea. Hold card brands accountable for the security of the payment card infrastructure, as well as all related processing. And imagine if Visa had to prove that its payment processing black boxes and back-end infrastructure were PCI-compliant? That would be a poetic turn of events.
kjhiggins
kjhiggins,
User Rank: Strategist
3/27/2014 | 7:42:07 AM
Re: Compliance Does Not Mean Hack-Proof
Fallout from the Target breach already is speeding up the adoption of chip & pin (via Target), so maybe this legal case will spur debate and possible change with some of these PCI enforcement holes noted by Gartner's Litan.
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-41340
PUBLISHED: 2022-09-24
The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery.
CVE-2022-23463
PUBLISHED: 2022-09-24
Nepxion Discovery is a solution for Spring Cloud. Discover is vulnerable to SpEL Injection in discovery-commons. DiscoveryExpressionResolver’s eval method is evaluating expression with a StandardEvaluationContext, allowing the expression to reach and interact with Java classes suc...
CVE-2022-23464
PUBLISHED: 2022-09-24
Nepxion Discovery is a solution for Spring Cloud. Discovery is vulnerable to a potential Server-Side Request Forgery (SSRF). RouterResourceImpl uses RestTemplate’s getForEntity to retrieve the contents of a URL containing user-controlled input, potentially resulting in Information...
CVE-2022-23461
PUBLISHED: 2022-09-24
Jodit Editor is a WYSIWYG editor written in pure TypeScript without the use of additional libraries. Jodit Editor is vulnerable to XSS attacks when pasting specially constructed input. This issue has not been fully patched. There are no known workarounds.
CVE-2022-36025
PUBLISHED: 2022-09-24
Besu is a Java-based Ethereum client. In versions newer than 22.1.3 and prior to 22.7.1, Besu is subject to an Incorrect Conversion between Numeric Types. An error in 32 bit signed and unsigned types in the calculation of available gas in the CALL operations (including DELEGATECALL) results in incor...