[Dataloss] Obtaining PCI Co sanction info through legal discovery

[B.K. DeLong]

Hi all -

Many of us have been challenged in obtaining information from the PCI
Consortium about which companies have been fined, how much and who
among them have lost their processing privileges. I know it's
happening because I have spoken to folks in-the-know who tell me it's
happening but are under NDA.

Such information would help to combat the notion that the PCI DSS has
no teeth as well as assist those of us responsible for addressing PCI
DSS within our organizations obtain funding to do so by providing
metrics on its impact to management.

I've spoken with a few lawyers and asked if information about said
sanctions could be obtained through discovery during legal
proceedings.

Here's the gist of the response - which may already be a no-brainer to
many of you.

"Certainly anything that the PCI Consortium would have communicated or
delivered to the company in violation of the DSS would be
discoverable. In some situations one can obtain fine letters from the
bank for litigation purposes without a subpoena."

Perhaps such insight can be the basis for gathering information about
any PCI Co actions regarding the thousands of breaches in the Data
Loss Database.

Though who would be willing to wade through legal proceedings and
contact the lawyers of those suing companies for breach of their
client's credit card information ?

Thoughts?



-- 
B.K. DeLong (K3GRN)
bkdelong at pobox.com
+1.617.797.8471

http://www.wkdelong.org                    Son.
http://www.ianetsec.com                    Work.
http://www.bostonredcross.org             Volunteer.
http://www.carolingia.eastkingdom.org   Service.
http://bkdelong.livejournal.com             Play.


PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

FOAF:
http://foaf.brain-stream.org