[Dataloss] OT? PCI Education Steak & Shake

DAIL, ANDY ADAIL at sunocoinc.com
Wed May 9 14:34:55 UTC 2007 



Visa, in their letter announcing the PCI Advisory board formation,
determined that all auditors who perform on-site audits must be a QSA.
http://usa.visa.com/merchants/risk_management/cisp_assessors.html. 

The authorization for internal auditors to perform the task was under
the old CISP program (pre-PCI 1.0).  The assertion may still hold true,
but if a Level 1 does a self-assessment and then suffers a breach, Visa
would likely invalidate their audit and fine them heavily.

Of course, almost no company accepts only Visa, and not MasterCard, so
it's probably moot.




-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Clint P. Garrison
MBA, CISSP, QSA
Sent: Tuesday, May 08, 2007 3:43 PM
To: Kehoe, Matt
Cc: Data Loss Incidents
Subject: Re: [Dataloss] OT? PCI Education Steak & Shake


Actually that is not correct...

Visa and AmEx allows Level 1 merchants' internal auditors perform the
PCI assessment, but a company officer has to sign off on it.
Mastercards' Level 1 merchants have to have a QSA perform the
assessment.

If you are referring to the quarterly (external) scans, you would be
correct. They have to be done by an ASV.

Clint P. Garrison

On 5/8/07, Kehoe, Matt <Matt.Kehoe at sephora.com> wrote:
> Having just gone through this, the biggest gotcha is that tier 1
> retailers need a "3rd party assessment" which means you cant just
> execute compliance from within....
>
> PCI standards still leave much to be desired, but it's a good step
> forward for retailing in general...
>
> -----Original Message-----
> From: dataloss-bounces at attrition.org
> [mailto:dataloss-bounces at attrition.org] On Behalf Of Al Mac
> Sent: Tuesday, May 08, 2007 8:48 AM
> To: Data Loss Incidents
> Subject: [Dataloss] OT? PCI Education Steak & Shake
>
> OT because we have no info on any cyber security incident, but of
> interest what is considered to be state-of-art when it comes to
> preventing certain kinds of incidents.
>
> Steak & Shake restaurant chain has had to beef up its computer
> security because a rapid increase in their credit card transaction
> volume has taken them to more stingent tiers of PCI standards.  The
> article shows us what hoops the chain had to jump through to meet the
> standards.
>
> What we do not see here is a perspective on security rules enforcement

> to avoid more incidents like TJX.  There are also some statements in
> the article that I would take issue with.  They imply stronger
> security than my understanding of reality.
>
> http://www.computerworld.com/action/article.do?command=viewArticleBasi
> c&
> articleId=291415&source=rss_topic17
>
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss Tracking more than 207 million
> compromised records in 649 incidents over 7 years.
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss Tracking more than 207 million
> compromised records in 649 incidents over 7 years.
>
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss Tracking more than 207 million compromised
records in 649 incidents over 7 years.

This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.

More information about the Dataloss mailing list