Categories ArchivesPCI

Guest Post: PCI Compliance Fees, Fines, and Penalties – What Happens After a Breach standard

The following is a guest post by Mark Burnette. You can reach him directly here. The PCI Data Security Standards are a set of rules designed by the credit card brands to enforce card data security. Though these are industry rules rather than laws, they can result in stiff fines and penalties for businesses, and even cost a business the ability to process credit cards. What’s more, these rules impact every business that collects, processes, or transmits card data – from mom and pop shops to retail titans. So what exactly happens to a business when it’s caught out of compliance? Fines and penalties Let’s say your business has suffered a data breach. First, the card brands will go to ...

Continue Reading

So, uh, is PCI DSS effective? standard

After the last post, I thought I’d describe some of the challenges with measuring the effectiveness of PCI DSS. Some camps argue it is absolutely effective because there has not been a compromise to date of an entity that was fully compliant with PCI DSS at the time of their breach. Others suggest extremely low compliance rates in certain groups of merchants indicate it’s not effective in helping the little guy. A few pick up headlines and just scream that it’s broken. An industry colleague of mine, Steve Levinson, is famous for a number of sayings. One he uses when faced with numbers that sometimes don’t make sense is: “There are lies, damn lies, and statistics.” While I know he ...

Continue Reading

Is PCI DSS Effective? standard

Another week, another breach. SuperValu is the latest entity to suffer a breach involving credit cards, and I saw a tweet over the weekend that inspired this post. It was along the lines of “I’d hate to be the guy who has to explain how PCI DSS is effective against breaches.” While there is some humor in the tweet, there is more than just the standard in play here. PCI DSS by itself is a good baseline for handling cardholder data. I’ve written articles, blogs, books, and given talks on the merits of PCI DSS1. PCI DSS also has flaws, compared to other compliance initiatives, that are very difficult to fix. To make matters worse, there are a number of ...

Continue Reading

Locking your Door is a Bad Analogy for PCI DSS Compliance and InfoSec standard

Storytelling is a pastime that spans all of human existance. Famous stories like cultural parables or classics like Romeo & Juliet attempt to tackle complex or conflicting ideas and relate them to someone. We use it to pass information from place to place, to captivate audiences when delivering unexpected information (See TED talks), and to explain to a lay person why they should take some action. Pick a security standard or compliance initiative, and you will find hundreds of analogies that attempt to reduce their complexity to a tagline or short list of tasks. One in particular that is quite popular in the PCI DSS and information security space is comparing compliance with locking your front door. Of course you ...

Continue Reading

The Art of Inquiry standard

The information security industry can sometimes fall into a rut when it creates and publishes requirements. Even in the corporate world we fall into these ruts. Go check out one of your build or hardening guides and see how much or how recently it has changed. In some respects, we don’t want to have drastic changes even when the world around us changes drastically because it makes it harder to meet those requirements. It’s that old “Your Security Rules are a Moving Target” chestnut. An old mentor of mine once told me that “compliance comes and goes, but security is here to stay”. In some respects, I think compliance is the manifestation of a purpose-built set of security rules driven ...

Continue Reading

Don’t Listen to this ConsumerReports Advice standard

Lifehacker recently posted something from ConsumerReports where an author suggested asking a hotel manager for their [PCI DSS] Attestation of Compliance. Asking someone for an AoC is en exercise in futility. There is one piece of advice that is good (use credit not debit), but the constructs of asking for an AoC is really not good advice. There are a number of reasons for this. Many hotels with your favorite brands are actually smaller properties owned and operated by individual owners. Even if they have an AoC, it’s probably done from the perspective of a Self Assessment Questionnaire which does not require a third party to review. I promise you that the vast majority of front desk clerks and managers ...

Continue Reading

The Funny Thing about Scoping standard

Scoping is not a new topic for PCI DSS, and it could arguably be one of the most debated topics that we face. Several years ago the Council formed a Special Interest Group (SIG) to try and address this, but the results were mixed. You can find something called the Open PCI Scoping Toolkit that can provide some additional guidance, but the danger here is that it is not sanctioned by the Council, therefore it is not official documentation to be used to determine the scope of an assessment. In the next version of our PCI Compliance book, due out later this year, we spent some more time on scoping. The results are still virtually the same, however. Removing things ...

Continue Reading

More Fun with EMV standard

Yes, it’s time to go hit your local university library again (or just join the Association for Computing Machinery) to see a great article from Anderson & Murdoch entitled, “Inside Risks EMV: Why Payment Systems Fail.” For those of us in the US that are now on the cusp of a wide-scale EMV rollout, there are still many questions that need to be answered. Drs. Anderson and Murdoch do a great job of summarizing the issues that we will face here in the US, including some of the attacks that were common in other implementations of EMV. Turns out, the French may be the best experts at cracking this thing. EMV tokens make an appearance in the article, but there ...

Continue Reading

MasterCard Offers Incident Response Planning Webinar standard

Requirement 12.10 has been present in all versions of PCI DSS and earlier versions of the CISP standard, yet clearly people either struggle with meeting the requirement or with executing an incident response plan. MasterCard announced yesterday a new, upcoming webcast that delves into the details behind requirement 12.10 in PCI DSS 3.0. It’s free, so go register! In the meantime, I have a few older posts that you might enjoy around incident response. Check them out! The Apple Incident Compliant Compromise (Guest post by Frank Castaneira) Boss, I Think Someone Stole our Customer Data Contracts & PCI (Guest post by David Navetta) Man Up MDs! Enjoy! Possibly Related Posts: PCI Council Loses $600K in Revenue, PO Population on the ...

Continue Reading

Would you pay for a PCI DSS 2.0-3.0 class? standard

The PCI Council released a training course on PCI DSS 3.0 (via Security Innovation) dubbed an “Insider’s Guide” to the new standard. The training has a price tag to get access to the materials, and some might deem it a bit hefty considering it is only a 90-minute course. In fairness, the Council is competing with free here as a number of experts have already built, delivered, and recorded courseware for on-demand viewing on these differences. So any price for materials might appear to be “hefty.” Also, don’t forget the Council already released this freely available document which should theoretically cover all of the same materials. Is there overlap with existing training offerings? If you are relatively new to PCI ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!