[Dataloss] Best Western Response

Tue Aug 26 19:55:11 UTC 2008

If you are not storing track data or other "prohibited information", you
are not using a known vulnerable payment application (or it is an
internally developed application), and you are encrypting your
information store, you should pass a PCI audit (or at least this should
not be the reason you fail one).

PCI is a minimum baseline for compliance, and it is a risk-based
program.  It is in no way, shape, or form, a comprehensive set of
information security controls.  It's certainly an improvement over
nothing, but it is not a mature program in terms of technology (which
morphs at astonishing rates) or level of implementation across the
entire business sector.

Various state laws prohibit the retention of Private Personally
Identifiable Information (without a business need) as does  the European
Principles on Privacy. Still, which agency or firm audits that
information prior to a breach?  It looks as if the parent company is
International, so they'll probably be speaking with EU privacy
commissioners, but under the US framework, if a state has the "business
need" caveat, who decides what constitutes business need?  Most likely
it would be the business that decides, and then its decision is
validated or repudiated by the civil legal system.

Technical details are always lacking in press articles, but it sounds
like, rather than a credit card cloning endeavor (which is PCI's focus),
this breach is more about full identity theft and the credit card
numbers are secondary to the incident, rather than material, because the
identity information in the databases would still be an issue sans the
credit information (and unless more than the PAN was being stored, the
full card # is mostly useless).

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Harris, Michael C.
Sent: Tuesday, August 26, 2008 1:42 PM
To: dataloss at attrition.org
Cc: macwheel99 at wowway.com
Subject: Re: [Dataloss] Best Western Response
Importance: Low

There is something missing here, that doesn't true out with the
expectations in the PCI standard for a level one payer.  Smaller mom and
pop level four establishment may slip by, but the mandatory audits of
level one folks should be forcing some change across the hospitality
industry... Perhaps slowly.  It should have been identified as an audit
point with a remediation plan in the quarterly or yearly PCI audit.

So who was the last quarterly PCI auditor for Best Western? Is PCI that
broken or ignored?

Level One 6,000,000 transactions per year
Annual On-site PCI Data Security Assessment and Quarterly Network Scan
Qualified Security Assessor or Internal Audit if signed by Officer of
the company Approved Scanning Vendor

Level Two  1,000,000 to 6,000,000 transactions
Annual On-site PCI Data Security Assessment and Quarterly Network Scan
Merchant Approved Scanning Vendor

This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.