Headline FeedsE-Commerce Times Talkback
|
|
See Full Story
The restaurant-slash-arcade-slash-bar Dave & Buster's is the latest U.S. outlet to suffer a breach of its credit card processing system. Hackers based in Ukraine and Estonia -- assisted by a guy in Miami -- apparently installed packet sniffer malware at the point of sale systems in several D&B outlets, which siphoned off "Track 2" data as the information was being transmitted over the company's network from the point of sale server to a data processor's server.
Jason, from what I have seen it is a long time coming, most organizations, enterprises will not even make this years cut-off date.
The flip side is, being PCI compliant does not at all mean you are secure. If we build our security based on the current standard (ISO27001/ISO27002), which itself is "always" updated,then we are all that much better off.
Simply stating "we were compliant" at the time of the compromise is similiar to "we are 100 percent secure against any/all vulnerabilities" Neither statement is ever true in todays rapid changing technology.
The flip side is, being PCI compliant does not at all mean you are secure. If we build our security based on the current standard (ISO27001/ISO27002), which itself is "always" updated,then we are all that much better off.
Simply stating "we were compliant" at the time of the compromise is similiar to "we are 100 percent secure against any/all vulnerabilities" Neither statement is ever true in todays rapid changing technology.
Sorry, but I disagree.............
Posted by: nellwal 2008-05-14 05:52:32 In reply to: Jason Z. Cohen
The PCI is not a "fairly basic set of rules" it's a relatively strict standard if followed properly. But, the problem lies in how the standard is applied and AUDITED. Auditors can only test what they are told about. If these data breaches were more closely examined I think you would find that either the auditor is not being told everything, or, as soon as they leave all attempts to comply with PCI go out the window under operational pressures. Since IT is often not seen as a "revenue producer" by the business side (which of course makes no sense) many IT managers have to fight to get resources they need to continue meeting the standard on a day to day basis. If the standard is made tougher, that's only going to force more companies into a position of rolling the dice by covering up problems, even more so than they are right now.
