Huh?

Why are these companies hosting their own web sites? The surest way to cut off that mode of attack is to pay someone else to physically host your web site (including its online store) completely separately from your corporate network.

Wrong charges?

Should have been indicted for 130 M counts of identity theft. If they penalty was one hour in prison for each count, he'd be looking at 14,840 or so years. I bet he'd give up Hacker 1 and Hacker 2 for a reduction to, say, 1000 years.

Too bad drawing and quartering has gone out of fashion.

NB. I was one of the TJX victims. No money lost, but do you have any idea how many places you have that card information stored?

Re: AC Huh?

Sometimes it's just not that easy. For multi-channel organisations, a lot of the information the web site needs is stored or calculated somewhere in the backend. An example might be a complex financial services quote engine that sits on an old mainframe; or a telco that offers online billing. You can't easily replicate the algorithms, or do nightly batch updates if real-time information is required.

What /should/ be happening (and PCI DSS requiring) is that all web servers sit in a DMZ, and that any system storing or processing card data is segregated from the rest of the network.

Sadly, PCI DSS is a little ambiguous, and organisations can be lazy in maintaining their implementation (despite annual audits). In the cases above, TJX where not PCI DSS compliant, while Heartland were.

Dan Goodin Have you every seen the PCI DSS?

"Monday's indictment is likely to revive criticism that so-called PCI DSS, or payment card industry data security standards, are an ineffective means of preventing modern attacks against servers containing sensitive card data."

Complete crap from somebody who doesn't know what he's talking about

Section 6.5.2 of PCI DSS specifically mentions removing injection flaws in webservers and 11.2 requires external scanning to test for flaws including SQL.

The PCI DSS is far from perfect but at least get your facts rights.

The problem is obviously that the QSA was negligent and didn't ensure that the systems had been tested accordingly.

I know our acquiring bank insists on seeing vulnerability free scans from our ASV every quarter.

PCI Compliance?

"Heartland executives have said repeatedly that their systems were in full compliance with the rules"

Obviously they meant to say was "... except for requirement 6.5.2 which explitly makes us validate user input to protect against injection flaws in our code...."

<FAIL>

How come this is always blamed on the PCI DSS? The standard is fine.... some of the 'Qualified' Security Assessors maybe less so..... one recently asked me if I could make all the router ACLs filter by MAC address on the clients network :S

Also @AC 21:27.... WTF? Where their kit is hosted is nothing to do with how their code is written. And there is nothing inherintly less secure about hosting in your own datacentre (or colo space) on you kit compared to someone elses.... can be more secure as your not exposed to the chance that the 3rd party are muppets.

--

Martin