Visa has dropped Global Payments from its list of approved service providers after a security breach at the firm exposed 1.5 million US card numbers. The world's largest credit and debit card company has booted Global Payments off its list because of the "unauthorised access into a portion of [its] processing system". Global can …
Security, we've heard of it...
"It’s essential that every business that handles payment card information adhere to the highest standards to protect the security and privacy of cardholder information and remain vigilant over time," Visa said in an emailed statement.
Not sure how this stacks up with NFC visa cards giving out cardholder names and places like Amazon accepting orders based on the information gained from sniffing those cards
"this intrusion was the first"
Bullshit. It's the first one they've got stuck with this kind of bad press over, is all.
"Garcia also said that there had been a lot of misinformation about the state of Global Payments' security"
So were the rumours in the press that this was only coming to light now because there was evidence the cards HAD been used also misinformation????
"You are compliant, and then if something [like this] happens, by definition you're not."
Err, no. PCI compliance is a set of standards. Just because you get broken into doesn't mean you lose compliance. It says when you patch, how often critical vulnerabilities have to be applied, etc. It provides a *best effort* methodology. A system is never hack-proof, there are always zero-day exploits and more found.
If the *founders* of PCI:DSS consider getting hacked into a measure of being not in compliance, then the methodology is broken and needs to be reworked. Most ricky-tick.
This is down to his misunderstanding and is not in accordance with the stance of the PCI Security Standards Council. The PCI SSC and most people who deal with the PCI DSS are perfectly aware that being truly compliant still doesn't mean a breach cannot happen.
The fact that there has been a breach is indeed good evidence that the organisation was not compliant but, as you say, it doesn't prove it. So far, no organisation that has been subject to a forensic QSA assessment following a breach has proved to be compliant with the PCI DSS at the time the breach occurred, but it could indeed happen.
What he should have said is "One minute you think you are compliant, then something like this happens and you realise that you were not.".
As my good buddy lotus49 has said, this is largely bad communications. There are number of ways that a compromise can occur whilst an organisation is compliant (and mean it).
The standard has some risk options factored in to it. Patch management is the most obvious. 30 days to get critical updates in is plenty of time to get hacked. That's without discussing 0 days, or people taking a risk based approach badly. IDS instead of IPS is another.
The list simply means you have submitted a compliant report to the brands at a point in time. It makes no attestation to the maintenance of compliance, and the PCI DSS has no requirements for surveillance visits built into it like ISO 27001 does.
There are lots of vested interests, and lots of organisations will want to jump up and down about what has happened to serve them. The best thing the community can do is make sure we all know what happened so that we can stop it happening again to anyone.
They could still be compliant, but they have to get their systems revalidated (checked), which isn't quite the same.
That seems sensible, since audits are not usually exhaustive. I suspect this one might be though...
"Only" 1.5 million cards stolen.
PCI DSS - Lol
"It’s essential that every business that handles payment card information adhere to the highest standards to protect the security and privacy of cardholder information..." - Double Lol
As somebody who has managed to get organisations through PCI DSS 'assessments' and 'audits' from QSAs I can say it is NOT a high standard. I applaud what they are trying to do, and the effort though (until you get a QSA who doesn't actually understand technology - which can be a nightmare). The biggest issue is that credit card companies have vested interest in organisations accepting their cards - if the standards were too high they'd have no clients (and money).
Also, why was social security information in there too? Just asking.
Re: PCI DSS
I totaly agree with you, auditors generally dont know what they are looking at, taking your word for what you say you are showing them, not really understanding what the rules mean you can do etc. Then you get 1 auditor now and then that does know what (s)hes doing, and brings you many more NCs than any other auditor has ever given you :)
This goes for VISA, Mastercard and PCI-DSS auditors.
With the social security info, they could be using that for fraud detection, using the SSN for linking cards together, if one card is used in one country and then another in another country, they would then know it was possible fraud, to do that they would need to know that one person had those 2 cards. Thats if they do fraud detection.
"I am pleased to inform you we are making significant progress in defining and rectifying the breach," CEO Paul Garcia said in a conference call. "Based on forensic analysis to date, network monitoring and additional security measures, we believe that this incident is contained."
"We got a**raped by a complete stranger, but don't worry, I'm pleased to inform you I have a large box of tissues here to clean up.
PCI DSS is setting a very bad false sense of security. Too many of the "business" side think claiming you are compliant means you are secure. Too many on the IT side think they know everything about IT since "they run a good IT shop". And the QSAs are of variable quality, and often only score compliance against their own understanding.
We have more and more non-banks handling financial information (e.g Supermarkets), and they have no clue about setting the correct boundaries around the information as well as the IT.
Global Payments will not be the last breach (of data or PCI DSS). Just pray it's not your data or company that's next...
Doesn't matter what compliance...
...you're adhering too. Good IT security is proactive maintenance and monitoring. Global Payments have probably got lapse and lost the plot in tracking any odd transactions or network activity. Maybe their did all the hard work getting to the PCI compliance, but did nothing to maintain it.
I have recently joined a company who deal with financial information and I'm personally taking on PCI for the first time. I was quite surprised on how non-specific the standard is. I came from a risk management company who banged on about tighter controls, but didn't even deal with personal/financial information.
Let's just say Global Payments got caught with their trousers down and now need a good spanking from Visa.
- Leaked screenshots show next Windows kernel to be a perfect 10
- Product round-up Coming clean: Ten cordless vacuum cleaners
- Something for the Weekend, Sir? I need a password to BRAKE? What? No! STOP! Aaaargh!
- Episode 13 BOFH: WHERE did this 'fax-enabled' printer UPGRADE come from?
- Vulture at the Wheel Ford's B-Max: Fiesta-based runaround that goes THUNK