[Dataloss] Feds seek to nab credit card thieves in La., Miss.
Jon Turner
jjturner at gmail.com
Tue Aug 19 07:42:50 UTC 2008
2008/8/19 Paul Ferguson <fergdawg at netzero.net>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - -- macwheel99 at wowway.com wrote:
>
>>A company can buy some computer system and not install, or manage, it
> properly.
> I am more interested in whether they had any PCI audits or other security
> audits, and what if anything the audits had to say about their state of
> security preparedness.
>>
>>Here's what went wrong at TJX Max (click on preview to see document filed
>>by
> 5/3 bank auditor AFTER the mess.) http://www.box.net/shared/ieae3qfqj9
>>
>> This is quite an eye-opener ... they had perfectly good computer systems,
>>
> but at some level of company leadership, there was no conception of their
> security responsibilities, what it meant to be PCI compliant.
>>
>
> It was my understanding that (according to Evan Schuman at
> StorefrontBacktalk):
>
> "...Visa knew of the extensive security problems at TJX but decided to give
> the retailer permission to remain non-compliant through Dec. 31, 2008,
> according to documents filed in federal court Thursday."
>
> http://storefrontbacktalk.com/story/110907visaletter
>
> - - ferg
Most companies are still burying their head in the sand regarding PCI,
a large number are doing so knowingly, a significant number have no
clue. If its going to cost the X million to become compliant and there
is only a risk of a fine then why should they care? At the moment its
mainly just a risk of a fine if they lose data, as soon as the word
risk is mentioned to management, then the "It will never happen to us"
complex kicks in and all chance of funding goes out the window (mainly
because now everyone thinks they know about security, AV + firewall =
secure to most non specialist). Security is a just cost of doing
business, it doesn't add sales or company value, so every one attempts
to minimize it.
Only when the payment vendors take away their right to process cards
will they start to take notice. From Visa point of view you can see
why they would approve the exemption though, either they approve it
and are able to fine them if they loose the data ($'s to Visa) and
also get 2% on most transactions through the store ($'s to Visa) and
the payment processor/vendor is liable for loses not Visa or they
don't t approve it and remove the right to process Visa cards ($ to
Mastercard + Amex).
At the moment, it still the security security teams in most
organisations (if they have one) pushing PCI and they don't have a
very loud voice, where as marketing and finance do.
oh, sorry about the first post being a rant....
More information about the Dataloss
mailing list