It’s been a few days now, and the dust is still settling as they say. Anton Chuvakin posted some great thoughts on the hearing, including one that I TOTALLY missed.

In Mr. Jones’s ((CMS 7.18. Look it up.)) defense, the site that has the XSS error in it MAY NOT be in scope for PCI depending on where code base lies, but regardless, the vulnerability is inexcusable from a guy talking to Congress about this stuff.

I fired the info around to some of our consultants and had a couple of responses of note.

James, a Consulting Manager in our group says (I am paraphrasing some of this):

The contention that PCI forces retailers to stray from their core competency of retail seems to be misleading. Small Level 4 merchants certainly do not have IT security backgrounds, let alone resources, but they also usually have small to nonexistent systems to protect. The core target of PCI, large Level 1 brick and mortars and prominent e-commerce portals, rely on IT excellence for operational efficiency and have long disenfranchised security efforts to the detriment of the consumer. The competency at maintaining systems securely should grow with the corporation and can be achieved without disrupting the “core competency.

James makes a good point here… From a sheer numbers game, level 4 retailers outpace any other group in the number of compromises. Of course, it’s not hard when you have seven million counterparts in your group. But when you look at the number of records compromised, the big retailers are the ones that have exposed the most… probably! I just did a little quick math and that assumption requires big ticket breaches to continue to happen.

Regardless, James points out that security should exist as a partnership between technology, human resources, and the business to allow the enterprise to grow securely.

James also points out that “Mr. Lungren seems to have a lot of bad luck when paying for meals. Make sure you bring an extra credit card if dining with him.”

One final thing that we in the industry deal with every day. James says:

I think Ms. Clarke may be jumping on the “PCI does not equal secure” bandwagon a tad bit late. We’ve all been in enough conference rooms where the “above and beyond the PCI standard” does not exist.

Frank, a Sr. Consulting Manager in our group says:

Main point: PCI is a baseline that prevents most breaches, and in all cases to-date, no compliant entity has ever been breached. Counterpoint: ambiguity in the standard and/or interpretation by a QSA leads to differing opinions on applying the standard. Folks, SQL injection vulnerability on an external website is a no-no, and should have been found at multiple checkpoints of the DSS, no matter what shade of rose is on your glasses.

shaZAM! Of course he’s absolutely right. Setting the standard aside, vulnerabilities like that should be found and fixed using standard security practices.

He concludes his thoughts with this nugget:

End-end encryption is NOT a silver bullet. If hackers have full access to the internal PCI network, then they have the opportunity to attack the encryption methods as well. We all know that merchants extract information from the authorization process, and would need de-encryption mid-stream to maintain their data warehouse appetites.

As a marketing guy by training, I can tell you that there is value in certain types of data that might fly through the various flows that merchants use. What is going to happen if retailers adopt end-to-end encryption? Will the marketing guys get creative and find a way around the control? Maybe the newest reincarnation of the write-my-complex-password-down-on-a-postie-and-stick-it-under-my-desk-because-no-one-will-look-there workaround?

Time will tell!

Anyway, I hope you all enjoyed the briefing as much as I did!

OH! And we had a small “holiday” this week, April Fools Day! Here’s a GREAT roundup of the most popular pranks. The Opera face gestures is exceptionally hilarious, and I can see lots of HR incidents getting started over innocently opening a speed dial.

This post originally appeared on

Possibly Related Posts: