2 posts • joined Tuesday 18th August 2009 09:59 GMT
Obviously these guys handle CCard details and therefore need to PCI DSS compliant..... this is one of those occasions where the Security Standards Council / Card Issuers need to use the big stick and impose sanctions (ie revoke certification and resultant fines) as they would for a company that size that has not achieved compliance by their target date.
To say... 'I have no idea if someone reported a vulnerability. But I am going to do nothing about how we handle vuln reporting" is tottally unacceptable and quite apart from the failure to comply to Requirement 6.5 (secure development of websites) it is surely also refusing to comply with 12.9 "Implement an Incident Response plan" or Req 5 "Maintain a Vulnerability Management Program".
Tottally lame..... if I had any business with them (which I don't) I would be pulling it and moving to someone else. If the PCI SSC is not going to use the big stick, then the public needs to when companies display this type of attitude..... by voting with their feet!
"Heartland executives have said repeatedly that their systems were in full compliance with the rules"
Obviously they meant to say was "... except for requirement 6.5.2 which explitly makes us validate user input to protect against injection flaws in our code...."
How come this is always blamed on the PCI DSS? The standard is fine.... some of the 'Qualified' Security Assessors maybe less so..... one recently asked me if I could make all the router ACLs filter by MAC address on the clients network :S
Also @AC 21:27.... WTF? Where their kit is hosted is nothing to do with how their code is written. And there is nothing inherintly less secure about hosting in your own datacentre (or colo space) on you kit compared to someone elses.... can be more secure as your not exposed to the chance that the 3rd party are muppets.