[Dataloss] Best Western Response

Jamie C. Pole jpole at jcpa.com
Tue Aug 26 20:21:45 UTC 2008 

The PCI DSS program is a joke.  Pure & simple.  Definitely broken,  
sometimes ignored.

I teach a LOT of public and private classes on auditing and ethical  
hacking/penetration analysys, and it never ceases to amaze me how  
little the people with the QSA designation actually know.  Most of  
them seem to be former IT auditors - that particular bar (QSA) is set  
W-A-Y too low.

Think about it - when was the last time you heard about a security  
breach involving credit card processing where the target was NOT PCI- 
compliant?

All of the good ones I've worked on recently have had PCI  
certification in place.  That certification has meant precisely zilch  
in the overall scheme of things.

The fact is that the PCI DSS program itself is flawed, and provides  
nothing more than a false sense of security.  When certain "security"  
companies commoditize "network scanning" to the point that it is an  
entirely automated effort, the buyer deserves what they are going to  
get.

The number of breaches involving PCI-compliant entities should speak  
for itself...

Jamie


On Aug 26, 2008, at 2:41 PM, Harris, Michael C. wrote:

> There is something missing here, that doesn't true out with the
> expectations in the PCI standard for a level one payer.  Smaller mom  
> and
> pop level four establishment may slip by, but the mandatory audits of
> level one folks should be forcing some change across the hospitality
> industry... Perhaps slowly.  It should have been identified as an  
> audit
> point with a remediation plan in the quarterly or yearly PCI audit.
>
> So who was the last quarterly PCI auditor for Best Western? Is PCI  
> that
> broken or ignored?
>
>
> Level One 6,000,000 transactions per year
> Annual On-site PCI Data Security Assessment and Quarterly Network Scan
> Qualified Security Assessor or Internal Audit if signed by Officer of
> the company Approved Scanning Vendor
>
> Level Two  1,000,000 to 6,000,000 transactions
> Annual On-site PCI Data Security Assessment and Quarterly Network Scan
> Merchant Approved Scanning Vendor

More information about the Dataloss mailing list