[Dataloss] VISA / 1ST BANK

DAIL, ANDY ADAIL at sunocoinc.com
Thu Oct 19 17:05:23 EDT 2006 

Depending on the industry and depending on the circumstances of the
breach, it could be impossible for the merchant to notify the people
affected.  A lot of retail systems store credit card numbers for
chargeback research, but the name of the card holder is not kept. 

When one of these businesses is breached they know xxxxx number of card
numbers were possibly compromised, but not who the cards belong to
(Magnetic stripe data being an exception).  In that event the company
has no choice but to notify their settlement provider, who will in turn
notify the issuer, who can cross reference card numbers with card
holders.



Andy Dail
Sunoco PCI Project Manager
(918) 586-6160

	-----Original Message-----
	From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Dennis Opacki
	Sent: Thursday, October 19, 2006 3:43 PM
	To: dataloss at attrition.org
	Subject: Re: [Dataloss] VISA / 1ST BANK


	The way I read the notification, it didn't sound like the
processor was affiliated with 1st Bank:
	
	"We would also like to reassure you that the compromise of
information occurred at a merchant card processor's location, not
FirstBank and therefore your account information at FirstBank has not
been obtained by these unauthorized indivuduals(SIC)."
	
	Perhaps they are just notifying customers affected by another
company's gaff? Must be a bad day if they didn't even spell-check the
notification before it went out..
	
	-Dennis
	

________________________________

	From: B.K. DeLong
	Sent: Thu 10/19/2006 1:21 PM
	To: Chris Walsh
	Cc: dataloss at attrition.org
	Subject: Re: [Dataloss] VISA / 1ST BANK


	Is it that hard to find out who did the card processing for 1st
Bank?


	On 10/19/06, Chris Walsh <cwalsh at cwalsh.org > wrote:

		On Thu, Oct 19, 2006 at 10:41:37AM -0400, B.K. DeLong
wrote:
		> Well, whomever it was will probably get wacked with a
HUGE fine for
		> violating PCI Security standards. I'm guessing it
won't take long to
		> determine who falls under approved card processors for
Visa.
	
	
		They might get fined, but not buy Visa.  Too much butter
on that bread
		to throw it in the bin.
	
		The FTC, OTOH, may do some enforcement:

http://www.emergentchaos.com/archives/2006/06/prediction.html
	
		Visa has been zealously guarding the "privacy" of these
processors since
		at least December of 2005, when the Sam's Club stuff
started to hit the
		fan.  Even Gartner called MC and Visa out on it:

http://www.emergentchaos.com/archives/2005/12/gartner_to_visa.html
	
		Chris
	
	




	--
	B.K. DeLong (K3GRN)
	bkdelong at pobox.com
	+1.617.797.8471

	http://www.wkdelong.org/                    Son.
	http://www.ianetsec.com/                    Work.
	http://www.bostonredcross.org/             Volunteer.
	http://www.carolingia.eastkingdom.org/   Service.
	http://bkdelong.livejournal.com/             Play.


	PGP Fingerprint:
	38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

	FOAF:
	http://foaf.brain-stream.org/



This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20061019/0bac855a/attachment-0001.html

More information about the Dataloss mailing list