FTC Demands Info From PCI Auditors On Breached Companies' Compliance

← Back to Stories (view on slashdot.org)

FTC Demands Info From PCI Auditors On Breached Companies' Compliance

Posted by timothy on Tuesday March 8, 2016 @08:14AM from the show-me-on-the-doll dept.

Trailrunner7 writes: The Federal Trade Commission has sent an order to nine of the larger companies that do PCI DSS assessments, demanding that the organizations turn over detailed information on how they conduct those audits, how often they actually declare a company non-compliant, and many other details. The FTC on Monday said it has sent orders to nine of these companies, including Mandiant, PricewaterhouseCoopers, and Verizon Enterprise Solutions, requiring that they provide details of how they handle those assessments. Specifically, the FTC is very interested in how many companies were deemed PCI compliant in the year before they suffered a data breach. Many companies that have been victims of data breaches over the years have touted the fact that they were PCI compliant at the time of their breaches. This has not escaped the FTC's notice

101 comments

Min score:

Reason:

Sort:

joek by blackomegax · 2016-03-08 08:22 · Score: 2

PCI compliance is a joke anyway. 100% security theater.
1. Re: joek by Anonymous Coward · 2016-03-08 08:28 · Score: 3, Funny
  
  Yeah,and PCI express is much faster anyway.
2. Re:joek by Anonymous Coward · 2016-03-08 08:34 · Score: 0
  
  This guy gets it. I have personal experience with a company whining to their auditor's manager that they didn't get their RoC despite some key flagrant PCI violations. Next day, miraculously, the RoC was released, with nothing changed on the part of the company.
  Auditing companies exist to make their customers -- the companies paying to be audited -- happy.
  captcha: ascetic, i.e. the opposite of this situation
3. Re:joek by Anonymous Coward · 2016-03-08 08:39 · Score: 0
  
  That's because PCI is either a skapegoat or a way to increase security depending on whether you're a member of smart or stupid upper management.
4. Re:joek by Anonymous Coward · 2016-03-08 08:44 · Score: 0
  
  I was coming to post something very similar. What the FTC will finally discover is what a joke PCI is. PCI auditors will not have any data at all, nothing. I have more auditing data on companies and I don't even do this shit. This post alone has more content than and PCI company has in regards to data. Passing an audit takes $100. Done, nothing else needs to happen at all. PCI "auditors" employee no human at all and have found absolute jack shit 100% of the time.
5. Re:joek by Anonymous Coward · 2016-03-08 08:48 · Score: 3, Insightful
  
  I had a retail company that ran credit cards. We had to "'pass" an "audit" yearly. Took $99 to pass, simple as that. They supposedly did "auto" testing on the IP address for our store. Which was a dynamic IP address to start with and was not static. Small ma-n-pa retail shop. So while they had an IP address when I first logged into their website, they continued testing that one IP address after it had changed dozens of times and still continue to test that old Comcast IP address even though the store now runs through a different provider...
  It's a joke and a scam
6. Re:joek by Anonymous Coward · 2016-03-08 08:51 · Score: 1
  
  PCI compliance is a joke anyway. 100% security theater.
  I'm a PCI qualified security assessor for a smaller firm, not one of the ones that was included in the above list. For one thing, compliance is not necessarily the same thing as security. And while there are some subrequirements of questionable effectiveness, none of them would qualify as 'security theater'. If I had to level a criticism on the entire system, it's this: The rigor of testing from firm to firm, and willingness to interpret requirements in ways that are beneficial to lazy sysadmins varies greatly. When assessor firms are trying to win contracts, they may not leave enough hours to sufficiently test an environment, so they cut corners and miss things. Companies that don't see eye to eye with their QSAs (for example, we break the news that a very expensive configuration is not compliant) will ditch them, and shop for someone who will agree with them. This isn't allowed, but I haven't heard much in the way of enforcement.
  To the article's point, what both assessed companies and the FTC need to understand is that assessments are a point in time. They may have recently gotten a clean report on compliance, but they probably still were not PCI compliant at the time of breach. And just because you're PCI compliant doesn't mean that you won't get breached. Like any other compliance measure, it is simply the cost of entry to be a standard-bearer of major card brands.
7. Re:joek by Anonymous Coward · 2016-03-08 09:01 · Score: 0
  
  Too often security is sold as a new 'black box' on the network which will quietly eliminate everything bad
  The problem is that providing security is never that simple. It requires constant identification of issues, determining if they are patchable ( or require development) and updating your development methodologies to be more secure. Your admins had better be on top of the all the required patches for their applications and the business people need to accommodate acceptance testing and implementation cycles. Oh, and this needs to happen quarterly...
  And none of that will buy you the 100% security that the black box seller claims to deliver. Unfortunately, the new owners of the black box rarely check its log output or patch level, leaving them even more exposed in the not-so-distant future as each black box is targeted and exploited.
8. Re:joek by tnk1 · 2016-03-08 09:02 · Score: 1
  
  Speaking as someone who has been in charge of PCI compliance (it was v2, not v3) for a small company, I disagree, but I understand why you would think so.
  Many of the PCI requirements are simply common sense. You'd want to run your security that way anyway.
  There are a few provisions of the PCI DSS where security people could have an honest disagreement with the actual requirements. In those cases, you could present compensating controls which mitigate the issues, which would make it harder for you to convince an auditor to sign you off, but in the end, they are accepted if this is a well researched change.
  One of the biggest flaws I have seen is that every PCI level below Level 1 is a self-certification unless the bank in question requires you to have an audit at the lower level. Admittedly, I see where audits are very expensive, but if you're handling credit card data, there should be at least some sort of sign off.
  Obviously, moving to the auditors, the auditors are hired by the company. That usually doesn't mean much, as no auditor is going to risk their reputation for the peanuts I was paying them, but bigger companies they may be more willing to play ball with. There has been at least one auditor in that space that I am aware has either provided a product that gives certification for mere payment on-time (we obviously didn't go with them) or they will bend over to make their customer able to pass.
  While I agree this is a serious problem, I don't think it discredits the program, it is merely a hole in enforcement which you would have to deal with in any regime where big companies are involved. The big companies are good at this, it's not like they don't regularly pull one over on the government too.
  But the one thing that I think keeps people on their toes is actual third party audits which are reported out. As you might argue, some companies create what I would call "compliance fictions" that allow a once-per-year audit to be passed without actually having to change bad practices, but what are the other options that are not difficult to operate? I spend months ensuring that our security is up to par with all the reporting that we do, but if the reporting becomes too onerous, we end up having to hire more people, which is very difficult unless you are a bigger company. Regulations do have the effect of making big companies much more attractive as providers, but as we know, those sorts of companies are both more expensive, less innovative, and much more likely to attempt to influence lawmakers with their large amounts of money.
  The best things we can do are keep the auditors honest. It may be that we find a way for auditors to not be funded by companies directly, but rather through program fees paid to a trade organization. I'd prefer to keep the government out of this, as the government's security programs aren't much better outside of the classified realm, and their requirements and working with agencies and their security contractors makes me want to stab myself repeatedly just to end the pain.
9. Re:joek by Anonymous Coward · 2016-03-08 09:06 · Score: 2, Funny
  
  I'm a PCI qualified security assessor for a smaller firm
  I'm a prince from Nigeria too! We should meet up for coffee sometime and discuss our strategies. You seem to be flying under some sort of legal banner that makes it easier for you to take money from unsuspecting people. I'd like to learn how you do this.
10. Re:joek by Anonymous Coward · 2016-03-08 09:09 · Score: 1
  
  As I posted anonymously above, big companies can buy and bully their way into PCI compliance.
  Small companies can't literally afford to take it as a joke. At the company I worked for, we had enough money budgeted for one PCI audit. If we failed the audit then our company would be out of business. Two people including myself were hired because we didn't have enough personnel to have any hope of passing.
  As a result you see breaches at large companies who have clearly shopped around for the most useless auditor, have thrown money around, or have thrown lawyers around to subvert the process.
11. Re:joek by Anonymous Coward · 2016-03-08 09:20 · Score: 0
  
  You claim it's not a security theater yet you then go on to outline how it is exactly a security theater. PCI requirement are set to maintain a secure environment for processing, storing and transmiting payment info. So if that "secure environment" doesn't prevent breaches than it is 100% security theater.
12. Re:joek by KitFox · 2016-03-08 09:26 · Score: 1
  
  A different consideration can be summed up in the idea that PCI Compliance makes a company "impossible to be hacked" in the same sense that being an "important and secure government agency" makes the FBI "impossible to be hacked". A frequent view is that PCI DSS means nothing at all because even fully-compliant companies can be hacked.
  The middle ground is the concept that PCI Compliance just makes the company less likely to be breached and the recognition that common sense isn't all that common (despite the sads this causes for people who would think "don't store PII unencrypted" should be akin to "don't stab yourself in the eye with a fork in an attempt to improve your vision"). PCI compliant companies can (and will) still be hacked. This is more of a question of "Is the PCI standard a proper balance to reduce the threat, and were these companies -really- PCI compliant, or just saying they were and so we need to revisit how we are addressing this one way or another?"
  
  --
  @Whee
13. Re:joek by Anonymous Coward · 2016-03-08 09:32 · Score: 0
  
  As someone who's dealt with making my company "compliant" for nearly ten years, it is mostly a joke. It's gotten better (when I started the bulk of the work was around defining the scope so narrowly that all of the insecure systems were conveniently "out of scope", now it's more about excluding stuff that's going to ruffle too many feathers when it gets locked down while being as secure as possible), but since we also deal with credit card companies as our clients I can tell you that the standards PCI imposes upon us are often ignored by those same companies who created the standard. Sure, they'll make sure anything external facing is compliant (or close to it), but once you get inside their network anything goes. That's why you get these breaches - as soon as the external shell is penetrated somehow there's no protection for the soft creamy center...
14. Re:joek by sconeu · 2016-03-08 09:38 · Score: 1
  
  My read:
  PCI compliance makes you less likely to be breached -- but you still can be breached.
  PCI compliance mitigates the damage caused by said breach -- but you're still responsible.
  
  --
  General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
15. Re:joek by Anonymous Coward · 2016-03-08 09:41 · Score: 0
  
  OTOH I informed a customer they needed to do about 6 months work to be ISO27000 compliant, and never heard from them again.
  That wasn't even the audit, that was the gap analysis. And the customer was lying to my face, as if it mattered.
16. Re:joek by Anonymous Coward · 2016-03-08 09:45 · Score: 0
  
  Yeah, it has gotten better, but it started as a lot of wtf. Requiring NAT for 'security', saw on audit's solution for anonymous SSL ciphers suggested as "disable SSL", version numbers of software being the almighty arbiter of if it's a secure release or not, nevermind a distribution having all the backports and fixed CVEs noted for the installed package... folks having to move off of long term support OS releases due to an auditor being a stick in the mud on the latter.
  Most of those seem to be better understood now, but it was a mess educating the "knowledgeable professionals" for a while.
17. Re:joek by Zaelath · 2016-03-08 09:45 · Score: 1
  
  Well, this is either a complete fabrication or someone is selling PCI audit stickers for $100. I can guarantee PWC isn't charging $100...
  I can give you a degree from Kenosis University for $100 too.
18. Re:joek by The-Ixian · 2016-03-08 10:02 · Score: 1
  
  I did IT consulting for SOHO to small business customers for years.
  I have set up many credit card machines and somewhere along the line these tests became required.
  It really is a total scam. They just run a glorified nmap scan of your network and try to find all of the things that are open.
  In my experience, every open port, no matter what, was flagged and assigned some kind of positive point value... Get enough points and you "fail".
  My general practice was to turn off any external facing services, queue up the test, wait for it to complete then turn on the services again.
  
  --
  My eyes reflect the stars and a smile lights up my face.
19. Re:joek by nuckfuts · 2016-03-08 10:05 · Score: 1
  
  I've been alerted to vulnerabilities on an Internet-facing host after being scanned for PCI compliance. I found the notifications useful and informative.
20. Re:joek by Anonymous Coward · 2016-03-08 10:25 · Score: 1
  
  Auditors are easily suppressed or evaded. I had an auditor once who asked excellent questions and was able to piece together a lot despite lots of obfuscation. A call to his boss and he got back in line. Despite 12 months of CC numbers with CCV and expiry being stored in a plaintext file on the server, no negative findings. This is for a backend gateway, not a merchant (ie you'd expect the rules to apply even more). PCI-DSS is an absolute lie. It exists for the purpose of insurance and marketing. It is true that a lot of companies would like to have those very basics covered, and generally will. But they won't pay someone to bring their rep down just because the company didnt want to spend the time and money on meeting the requirements. Its true that an auditor doesnt want their rep harmed by giving out lousy approvals, but there are 2 counters. For smaller auditors, a negative finding against their client means no more clients want them (or not enough to be a stable business). For larger auditors I thought we'd be boned. Turns out, larger auditors belong to larger orgs with a more diverse presence in the industry. e.g. Verizon's auditors may be reined in if their finding might harm Verizon's hosting services.
  A clever counter to this (human corruption) is improved tools. There is a tool that searches for any possible credti card numbers on the local machine. Earlier versions you could pause. So you let it run to 98%, then pause it. Review its logs to locate all the violations, then go clean them. Then restart the tool. Later versions would notify the auditor if you paused it. It was easy to block this or lie to the auditor (or suffer a server crash at a convenient time), but obviously a lot more suspicious.
21. Re:joek by Anonymous Coward · 2016-03-08 10:36 · Score: 0
  
  Yes, and the probably pointed to machines in your DMZ that needed patching for a known vulnerability, or some filtering against SQL injection
  The problem comes when the developers do not change their coding style, or the admins get busy putting out fires and don't keep the patches up, or there no clear ownership on the external scans so nobody reads the reports, etc...
  Security is a practice that needs to be maintained, not a point in time condition that is satisfied by a scan.
  In fact the 'feel good' of clearing the issues on the scan can leave you less likely to spend money, time or effort maintaining security
22. Re:joek by Anonymous Coward · 2016-03-08 10:41 · Score: 0
  
  I got to agree, they had a big questionnaire about how our site was laid out internally and the security features. Just answer yes to everything and pay their fee and you get the sticker. How the hell are they going to check if I'm lying? I'm not giving them access to anything, nobody is doing any audit, I suppose they ran a port scan and I do run a firewall. But other than that it's pretty much pay the fee get the logo.
23. Re:joek by Anonymous Coward · 2016-03-08 10:47 · Score: 0
  
  he means that there is a chance of some (many) instances being security theater while other are genuine.
24. Re:joek by Anonymous Coward · 2016-03-08 10:51 · Score: 0
  
  I think it can help in bringing together multiple departments on an important and common issues, namely physical and electronic security of credit card information. It also helps empower security professionals in their organizations to employ common-sense practices that they should be doing anyway. The PCI compliance audit may be security theater in and of itself, but I believe that it still has a great deal of value in getting an organization to really evaluate and change some of its information security practices.
25. Re:joek by TechyImmigrant · 2016-03-08 10:51 · Score: 2, Insightful
  
  They failed my wife's company web site for PCI compliance, not because it wasn't PCI compliant, but they hit the honey pot (advertising an old version of mysql) I installed to create filter block lists for the intrusion filtering. So I pre-filtered the pointless PCI scanning service and the problem went away.
  The PCI-DSS specs are written by incompetents. They exude incompetence. The documents seem to encourage an understanding that as long as you write down a bunch of procedures, your computers will be secure.
  PCI-DSS is responsible for the ease of committing payment card fraud, by occupying the space that could otherwise be occupied by a comptent organization taking effective steps to improve the security of payment mechanisms.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
26. Re:joek by TechyImmigrant · 2016-03-08 10:55 · Score: 1
  
  PCI compliance is a joke anyway. 100% security theater.
  I'm a PCI qualified security assessor for a smaller firm, not one of the ones that was included in the above list. For one thing, compliance is not necessarily the same thing as security. And while there are some subrequirements of questionable effectiveness, none of them would qualify as 'security theater'. If I had to level a criticism on the entire system, it's this: The rigor of testing from firm to firm, and willingness to interpret requirements in ways that are beneficial to lazy sysadmins varies greatly. When assessor firms are trying to win contracts, they may not leave enough hours to sufficiently test an environment, so they cut corners and miss things. Companies that don't see eye to eye with their QSAs (for example, we break the news that a very expensive configuration is not compliant) will ditch them, and shop for someone who will agree with them. This isn't allowed, but I haven't heard much in the way of enforcement.
  To the article's point, what both assessed companies and the FTC need to understand is that assessments are a point in time. They may have recently gotten a clean report on compliance, but they probably still were not PCI compliant at the time of breach. And just because you're PCI compliant doesn't mean that you won't get breached. Like any other compliance measure, it is simply the cost of entry to be a standard-bearer of major card brands.
  What you didn't mention is that the companies are being subject to blackmail. Pay $100 and get a PCI stamp of approval, or pay a higher per-transaction credit card fee. How this is not illegal is beyond me.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
27. Re:joek by tnk1 · 2016-03-08 10:59 · Score: 1
  
  PCI compliance is merely showing that you have done a due diligence and audited check of your security against (mostly) sound security principles.
  Reality is... PCI can't stop all attacks. Not much can, truth be told, unless you're an NSA level operator, and even they suffered an Edward Snowden. The proper process and security program can stop some of the attacks and mitigate the damage of successful attacks.
  In terms of legal liability, IANAL so it is hard to say what effect it will have, but it could reduce it to near zero, if you can prove that you had a good faith attempt to secure your application.
  On the other hand, as an application provider, you also have specialized knowledge of your application and you should be able to do better than the PCI bare minimum, so if you fail to secure areas that are in your own area of reasonable expertise, you may suffer liability, but hopefully less liability than someone who failed or gamed the PCI process.
  After all, if you lock your door and secure it, but a thief is somehow able to easily remove the bricks for your wall and smash through the drywall to get in and take your stuff, there's really only so far you can go to protect your stuff.
  If done right, this handles the low hanging fruits, and possibly some of the middle ground, but it can't do squat against 0-day attacks that no one else knows about. Most companies have no ability to gain knowledge of 0-day attacks, and as we saw with Heartbleed, it can go on for years before it becomes public.
  Further, before Heartbleed was public, it was also a lot less well known to all possible attackers. Once publicized, the race is on to prevent everyone else out there from using it, and if PCI is working properly, you may not stop the 0-day attacks, but you won't have your pants down after they have been announced.
  So, PCI, or some regime is a necessary, but not complete method of stopping attacks. It's part of a defense in depth approach.
28. Re:joek by Acid-Duck · 2016-03-08 11:03 · Score: 2
  
  Since no one else did yet and you seem to be oblivious to this fact, allow me to be the first to say so:
  While PCI audits aren't perfect, people like you are the bigger problem. You're too god damned lazy to read (and probably too stupid) to understand or even act on the feedback provided by the report so instead you cheat to pass the test.
  One of the most confusing aspects of PCI audits for noobs like yourself is the fact that applications installed using package managers (as opposed to compiled from source) will often have inferior version numbers, despite the fact they're still safe since security patches are back-ported.
29. Re:joek by tnk1 · 2016-03-08 11:09 · Score: 1
  
  I think what you're saying is a serious problem with the enforcement system, and I know companies do this.
  I do want to be careful though. One place I worked, they said that PCI was a joke for the reasons that you stated, but I know they said that just because they couldn't be arsed to do PCI for real and knew we wouldn't be able to skate by.
  So, it is important to differentiate the actual process of having audits and standards with how those audits are run. I agree that we need a new process for enforcement, but I want to make sure that we aren't just feeding the excuses of people like those I worked with, who were more than happy to trash PCI so that they could get on with making products with little regard for security except where they thought it would look good as a fancy looking "feature" they could sell, but left the door wide open in other areas like secure coding and operating the environment.
30. Re:joek by Anonymous Coward · 2016-03-08 11:10 · Score: 0
  
  So anytime a standard doesn't 100% prevent every single attack, it's security theater? The controls set out in the standard are widely accepted, real countermeasures to control rick. Troll harder.
31. Re:joek by Anonymous Coward · 2016-03-08 11:17 · Score: 0
  
  I didn't mention it because that's not really how it is. There's no blackmail going on - if you want to take a branded credit card, you simply have to play by their rules, which includes an assessment by their public standard. Don't like it? Extend your own credit scheme to your customers, or sign up with a third party payment processor so that you reduce your compliance scope to virtually nothing.
32. Re:joek by TechyImmigrant · 2016-03-08 11:28 · Score: 1
  
  Bullshit. What part of credit card handling involving a third party processor, doesn't requires the $100 charge in return for reduced transaction fees? The standard isn't public. It's the work of a cartel. I can read it, but I have no democratic influence over its contents. Once I have transferred my credit card processing fully to a third party (I have), I still have to pay the protection money to avoid the higher charges.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
33. Re:joek by Anonymous Coward · 2016-03-08 11:50 · Score: 0, Flamebait
  
  Or, rather than cheating the test, opening yourself to liability, and edging towards fraud, you simply request an exception and submit evidence to your ASV. There are processes in place to address this stuff in a reasonable way, rather than scamming your compliance work and then blaming the test.
34. Re:joek by Anonymous Coward · 2016-03-08 11:55 · Score: 1
  
  One of the most confusing aspects of PCI audits for noobs like yourself is the fact that applications installed using package managers (as opposed to compiled from source) will often have inferior version numbers, despite the fact they're still safe since security patches are back-ported.
  Which is why people work around the increasingly useless audits. You either spend ten minutes prepping for it, or you spend weeks arguing that yes, RedHat backported a resolution to that security problem six fucking years ago, you dickless felchers.
35. Re:joek by TechyImmigrant · 2016-03-08 12:03 · Score: 1
  
  I did not cheat the test. The test was a fraudulent, claiming to identify flaws in my network that were not present.
  What I want is for the payment processing industry to adopt well understood cryptographic methods to enable customers to pay vendors, without exposing usable credentials to the vendor and to cease with the blackmail tactics that they use as a substitute.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
36. Re:joek by Anonymous Coward · 2016-03-08 12:25 · Score: 0
  
  The standard isn't public. It's the work of a cartel. I can read it, but I have no democratic influence over its contents.
  The standard is available publicly. The standard is administered by representatives from the major card brands and dozens of industry stakeholders, including merchants and processors. You have no influence over the contents, because you have no idea what you're talking about, but plenty of other members of the community do have voices.
37. Re: joek by cdwiegand · 2016-03-08 13:29 · Score: 1
  
  And then they charge more, or just fail you anyways because they must know more than you or you'd be in that business yourself. It's lame, but it's also really easy for online sites to offload PCI compliance through almost every processor out there, so there's no reason to store the cc info yourself.
  
  --
  . Define sqrt(x) as something really evil like (x / rand()), and bury it deep. Watch your coworkers go nuts.
38. Re:joek by Anonymous Coward · 2016-03-08 13:37 · Score: 1
  
  I work for a managed service provider and, among many other things, I provide support for linux-based clients who failed their PCI-DSS audit. Addressing a failure which is based on miss-matched versions is as easy as pointing to the changelog documentation for your currently installed package and highlighting to the auditor the part of the changelog which specifically addresses the security vulnerability found in the audit report. It usually takes me ~1min per item to address such failures. Like someone already said, these audits aren't perfect however there are valid recommendations in them.
  Another important comment which was already made: A "pass" means the system was compliant at that specific point in time. Some new weakness could of been discovered a week later (or even the next day) and then suddenly the system is vulnerable to an attack, despite having passed PCI-DSS the day before.
  Just because you don't like the way things are done, or you find them to be inefficient, doesn't mean you should put your employer/clients at risk by cheating on their PCI-DSS audits. I agree with the above poster, people like you are part of the problem.
39. Re:joek by Chuck+Chunder · 2016-03-08 14:09 · Score: 1
  
  I did not cheat the test. The test was a fraudulent, claiming to identify flaws in my network that were not present.
  Well, you did "cheat" the test. A scan is just a scan, it isn't 'fraudulently' doing anything, it's just reporting a possible problem. It's up to you to justify any listening port with a business reason and demonstrate appropriate controls for the service.
  
  Of course it's not immediately clear what sort of compliancy tests you are doing. If it's just Tier 3 then you probably not paying much for your ASV and they are geared (and priced) for scenarios where scans show very little is in scope and not much manual appraisal is done. If it's a higher tier then you should be dealing with people who take the time (and are being paid to) to understand your system and make an informed assessment.
  
  PCI isn't perfect but isn't awful as a set of minimum standards and guidelines.
  
  --
  Boffoonery - downloadable Comedy Benefit for Bletchley Park
40. Re:joek by Anonymous Coward · 2016-03-08 14:14 · Score: 0
  
  This is the truth and nothing else. Shame on people for down voting this post.
41. Re:joek by TechyImmigrant · 2016-03-08 18:03 · Score: 1
  
  The PCI can is indeed awful, because (1) the actions it has people take have no effect on the underlaying insecurity of the payment card systems and (2) it comes with a 'pay us or we have the banks charge you more transaction fees' threat for this useless service . The payment card industry needs to fix its crappy, insecure payment cards first before accusing businesses, who have no control over the payment card industry that the cause of insecurity it their fault for not paying for a PCI scan.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
42. Re:joek by Bert64 · 2016-03-08 19:30 · Score: 1
  
  Just because you are compliant, does not mean you're secure.
  That said, PCI compliance is an obstacle to business and most of the PCI accreditors are not very technically minded so a lot of companies blag their way through by misleading their QSA...
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
43. Re:joek by Bert64 · 2016-03-08 19:36 · Score: 1
  
  Often those audits are based purely on a blind external scan, so while you get the false positives due to backported security fixes you can also get false negatives where the banners have been turned off or changed.
  To do the job properly, you really need access to the host so you can audit it thoroughly and determine whats installed, how its installed and wether it has backported patches or similar but a lot of clients don't want to do that... They think that a completely blind test is "more realistic", despite the fact that you have numerous limitations imposed on you (limited time, can only attack the specific targets and not try looking for other less obvious ways in, cant do anything that might risk crashing the host or service etc).
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
44. Re:joek by Bert64 · 2016-03-08 19:43 · Score: 1
  
  PCI-DSS is responsible for the ease of committing payment card fraud, by occupying the space that could otherwise be occupied by a comptent organization taking effective steps to improve the security of payment mechanisms.
  The PCI-DSS specs are a huge compromise... If they made them too tough then the vast majority of companies would be completely unable to be compliant with their existing systems, and would basically have to build an entire new network for dealing with card data. If you make something too difficult then noone will do it at all, and noone would ever enforce that because the card companies actually want people to use cards.
  So what you have instead is a baby step, PCI-DSS may not be very good but it's better than the only actual alternative - nothing at all.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
45. Re:joek by Anonymous Coward · 2016-03-08 21:25 · Score: 0
  
  The test you're describing is not the test that the article is referring to, yours sounds like a quarterly asv scan, which is merely one tiny component of these sort of things.
  (And the honeypot/ips combo would be perfectly permissible, it just needs documentation).
46. Re:joek by Anonymous Coward · 2016-03-08 21:28 · Score: 0
  
  Then use a different ASV service...
  PCI (like many similar programs) is really crazy hot on documentation, there's lots and lots and lots of things that you can do as long as a valid business need is documented, and the risks/mitigations detailed.
47. Re:joek by Anonymous Coward · 2016-03-09 07:47 · Score: 0
  
  So in other words you knew they were testing the wrong host and didn't say anything? Hope you don't get caught :)
48. Re:joek by Chuck+Chunder · 2016-03-09 11:22 · Score: 1
  
  The payment card industry needs to fix its crappy, insecure payment cards first before accusing businesses,
  It's not entirely clear what you mean by "payment card industry". The "payment card industry" is everybody, including "businesses" and there's an awful lot of existing infrastructure all that has to keep working. It sounds like you are complaining about card schemes (Visa, MasterCard, Amex) but the Tokenisation stuff they've come up with via EMVco is pretty good, it's just there's an awful lot of infrastructure (including at "businesses") that needs to be updated to work with it. (Indeed EMV one time payment tokens appear to be one of the modes supported by ApplePay, so it's probable that people are doing such payments today, but probably only in cases where the cardholder's bank supports it, the merchant supports it in their app, and the merchant's payment gateway supports it, etc etc etc).
  
  But saying the payment industry should do X "before" trying to improve security at businesses is ludicrous, security is about dealing with the real world and trying to make what is already there better, not doing nothing until some ideal solution becomes available.
  
  --
  Boffoonery - downloadable Comedy Benefit for Bletchley Park
49. Re:joek by TechyImmigrant · 2016-03-10 07:30 · Score: 1
  
  PCI as in the PCI in PCI-DSS and the associated companies responsible for plaintext magstripe credentials still being in use today.
  Saying "We're EMVco and we're so awesome for developing chip & pin" while mag stripes are still accepted everywhere and the mostly pointless chip & signature is what is foisted on the public is pretty bloody disingenuous.
  We have a business with a store and at no point have we been given the option of buying or using payment equipment that can only be placed in a secure configuration.
  It is the classic security faux pas of securing the front door (and not very well) while leaving the back window open. No criminal needs to bother cracking chip&pin when they plaintext mag stripes are in broad use.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
50. Re:joek by RockDoctor · 2016-03-11 16:30 · Score: 1
  
  I still remain completely in the dark.
  From your description, your work in $JURISDICTION$?
  But , does this ruling apply to $OTHER_JURISDICTION$?
  I don;t live in America, and have no desire to visit America, or to conduct business with anyone whose contract law is based in America.
  Do I need to concern myself with someone called "FTC"?
  
  --
  Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
Good... by Anonymous Coward · 2016-03-08 08:23 · Score: 0

this is what regulated capitalism is all about, weeding out charlatans and enforcing good practices.
Even Milton Friedman would ask that companies perform a cost-benefit analysis of attempting to avoid security costs, and government oversight, or the cost of operating under a consent decree would figure into that.
Sounds like they want to make... by Anonymous Coward · 2016-03-08 08:24 · Score: 0

the audits even more intrusive, time consuming, and expensive. This is going to hurt.
Conflict of interest by Aaden42 · 2016-03-08 08:25 · Score: 1

This could get interesting. It always bugged me a bit that you’re paying a company (you’re their client) to give you a stamp of approval, and the only thing you need to avoid a bunch of liability is that stamp of approval. Doesn’t seem like there’s any disincentive to them to just pass you if you give them enough money. Maybe they fail you, you pay a bunch of hush^Wconsulting money for them to help you get compliant, then they pass you.
There’s definitely a lot of good things in PCI-DSS, but there’s a difference between getting a bunch of checkmarks on a list versus actually incorporating the security recommendations into your development cycle and systems design.
1. Re:Conflict of interest by Anonymous Coward · 2016-03-08 21:33 · Score: 0
  
  In the PCI cases that I've been involved in, the organisation that is doing the audit (i.e. the QSA) is limited in the level of advice that they're allowed to offer, and folk usually employ two firms, one to help get compliant, and a different one to do the audit.
Commie fascism! by fuzzyfuzzyfungus · 2016-03-08 08:26 · Score: 2, Funny

How dare the dead hand of state interference meddle with an industry that has gone to all the trouble of developing a ceremonial 'self regulation' procedure?
1. Re:Commie fascism! by rsborg · 2016-03-08 09:12 · Score: 2
  
  How dare the dead hand of state interference meddle with an industry that has gone to all the trouble of developing a ceremonial 'self regulation' procedure?
  Because the invisible hand is very good at stealing from us?
  
  --
  Make sure everyone's vote counts: Verified Voting
Pay to win. by BrookHarty · 2016-03-08 08:28 · Score: 2

If the compliance company won't help you pass, they wont be in business long. Compliance companies want customers to pass, so they get hired again and not black listed.
This is why nobody is failing.
1. Re:Pay to win. by tnk1 · 2016-03-08 09:10 · Score: 1
  
  Well, they can't just walk in there, tell you that you fail, and walk out. I mean, you *could* do that, but you don't want a standard to immediately put you out of business if you have a flawed, but good faith effort to comply. PCI is not about hitting a target and nothing else. You want an auditor to work with you to get you back into shape.
  Of course, you're probably suggesting that the "help" isn't from improvements, but rather from gaming the system. In that sense, it is possible for that to happen. I think the funding for audits should come from a different place, or some other organization selects the auditor if the audit target is paying for it.
  That said, we should certainly not put all our fish into the PCI basket. Security is definitely not something that comes out of a set of requirements for a certification. At best it is a framework for you to use to get your InfoSec program to a certain minimum standard.
2. Re:Pay to win. by geekmux · 2016-03-08 09:20 · Score: 1
  
  If the compliance company won't help you pass, they wont be in business long. Compliance companies want customers to pass, so they get hired again and not black listed.
  This is why nobody is failing.
  Wanna know a surefire way to short-circuit that bullshit from happening? Hold the asshats "helping" you pass legally liable for the systems they certify as compliant.
  I know that will likely never happen, and we'll continue this political ass-kissing game of validation by palm grease.
  In light of that, what needs to happen is companies that suffer massive breaches stand up and sue the living shit out of the org that certified them as compliant.
Yeah! by Anonymous Coward · 2016-03-08 08:29 · Score: 0

Great idea for the FTC to do this, and very appropriate. The breach business is getting out of hand.
Unfortunately, in a situation like this, it is common, if not habitual, for organizations to be compliant with
the standard, or the government rules, and rest there. Those standards, such as PCI in this case, should be
regarded as the minimum they have to do, not the maximum.
1. Re:Yeah! by IT.luddite · 2016-03-08 08:53 · Score: 1
  
  That's why it's security compliance and not security. You get what you measure, and you're measuring the minimum.
2. Re:Yeah! by Anonymous Coward · 2016-03-08 09:00 · Score: 0
  
  Those standards, such as PCI in this case, should be regarded as the minimum they have to do, not the maximum.
  To most organizations, those words are synonymous (and they're more like "guidelines", really).
3. Re:Yeah! by Anonymous Coward · 2016-03-10 13:42 · Score: 0
  
  That reminds me of the Building Code. Another system that the codes people all regard as the minimum and the builders/contractors all regard as the maximum.
  Logically the first are correct. Market pressures and ever-present cost minimization/profit maximization ensure that the second are correct for every ordinary building project.
Spoiler alert by Anonymous Coward · 2016-03-08 08:29 · Score: 0

What they'll find is that practically all the non-phishing breaches happened to companies employing Microsoft and other proprietary products across the enterprise.
Given the closed source nature of proprietary software vendors, it is impossible to know how many zero-day (and other) exploits on server software. Therefore the vulnerabilities that PCI compliance is designed to prohibit will always be present; it's a cost of doing business with proprietary software. Especially from certain vendors that have a long history of producing substandard products in terms of security.
Numerous studies have confirmed this so it's curious why the FTC doesn't just use that data instead of going through the expense of these interviews.
Art imitating life by Anonymous Coward · 2016-03-08 08:32 · Score: 0

The way the summary just says the same thing as the headline a couple more times is very much like the process of figuring out how to fill in the ****ing compliance forms.
Yeah! by sotweed · 2016-03-08 08:32 · Score: 2

Great idea for the FTC to do this, and very appropriate. The breach business is getting out of hand.
Unfortunately, in a situation like this, it is common, if not habitual, for organizations to be compliant with
the standard, or the government rules, and rest there. Those standards, such as PCI in this case, should be
regarded as the minimum they have to do, not the maximum.
We'll help you fix things to pass. We're audited by raymorris · 2016-03-08 08:38 · Score: 2

We'll "help you pass", and help you be more secure, by telling you where some of your vulnerabilities are and giving you pointers on how to fix them.
The PCI DSS company is itself audited. The company I work for is preparing for our annual audit right now and we're improving our scanning in order to pass the test. Those improvements are improvements in how well we scan our customers.
What? by ArchieBunker · 2016-03-08 08:44 · Score: 1

Any idea what "PCI DSS assessments" means? Don't utilize that new fangled thing called a hyperlink to let anyone know.

--
Only the State obtains its revenue by coercion. - Murray Rothbard
1. Re:What? by SeaFox · 2016-03-08 09:02 · Score: 1
  
  This is the Information Superhighway 2.0, where everything is toll roads. You're supposed to go "Hey Google, what's a PCI DSS assessment?" to your smartphone instead of using that archaic mouse to click a link to an actual authority of the topic.
2. Re:What? by citizenr · 2016-03-08 16:23 · Score: 1
  
  its probably things like this: http://csrc.nist.gov/publicati...
  = determining needed password length based on assumption of using 300 baud modem connection to the server etc
  
  --
  Who logs in to gdm? Not I, said the duck.
We took it seriously... by Anonymous Coward · 2016-03-08 08:45 · Score: 0

I know at my old (now defunct) company, we took the PCI audits very seriously. When I say very seriously, I mean that we made sure nothing obvious stood out when they were there. So yeah, it could easily be that they don't really do all that much.
Trustwave by Anonymous Coward · 2016-03-08 08:50 · Score: 0

The most corrupt and prolific PCI audit firm, Trustwave, some how managed not to be included in the audit? Way to go FTC.
Re:We'll help you fix things to pass. We're audite by gmack · 2016-03-08 08:53 · Score: 1

This is how it was for the company I worked for a few years ago. The auditor walked in said "it's secure but it doesn't meet the standard" and I had to spend the next 3 days reworking my network setup in order to pass.
Re: joke by Anonymous Coward · 2016-03-08 08:56 · Score: 0

This is wholly situational dependent.
If you are a massive company with a ton of money and lawyers to throw around, then yes, it is a joke. It doesn't matter how long the audit takes. You can keep paying auditors more and more money until you pass, or even switch to a new auditor. You can even have your lawyers put pressure on the auditors.
If you are a small company and you can't afford to waste time and money by dragging on the audit for any longer than absolutely necessary, then it is far from a joke. If you don't pass the audit and you cannot afford two audits, then your company is out of business. That is no joke.
Where you see breaches happen is at large companies. You do not see breaches at small businesses who have spent a significant portion of their revenue just on their PCI audit.
Unfortunately, I have to post this anonymously to protect my identity, but it is wholly true. The PCI audit does have a lot of checklist items that when checked give you no additional security but small operators have to outlay not only a significant amount of money for the audit but a significant amount of money for programming work and additional staff in some cases, as a percentage of their revenue.
This happens all the time (see The Big Short) by rsborg · 2016-03-08 09:11 · Score: 1

This could get interesting. It always bugged me a bit that you’re paying a company (you’re their client) to give you a stamp of approval, and the only thing you need to avoid a bunch of liability is that stamp of approval. Doesn’t seem like there’s any disincentive to them to just pass you if you give them enough money. Maybe they fail you, you pay a bunch of hush^Wconsulting money for them to help you get compliant, then they pass you.
There’s definitely a lot of good things in PCI-DSS, but there’s a difference between getting a bunch of checkmarks on a list versus actually incorporating the security recommendations into your development cycle and systems design.
The financial crisis was made possible by a willful negligence on the part of ratings agencies and big banks who paid to have their financial instruments rated.
The Enron crisis had the same hallmarks.
This shit is still going on in a lot of places. Glad to see the FTC putting it's teeth into some of it.

--
Make sure everyone's vote counts: Verified Voting
DSS in my PCI? by Anonymous Coward · 2016-03-08 09:20 · Score: 0

Articles should spell out what their 3 letter initials mean.
I'm still trying to figure out why they want to audit my Peripheral Component Interconnect to see if it has a Direct Sequence Spreadspectrum (802.11b) card.
I got stuck doing PCI compliance before .... by King_TJ · 2016-03-08 09:34 · Score: 1

At a previous job (small "family owned" business), they really didn't even handle credit cards very often. But every once in a while, they'd get the walk-in or phone in customer who wanted to pay with one. As the only I.T. guy on staff, I was tossed the mandate to "do the PCI compliance thing, since our bank says we need to start doing it".
I had to do kind of a crash course in it (while they signed us up with a company who would certify us "compliant" after I jumped through all of their hoops).
It's been a while now, but as I recall -- I was able to skip a huge test full of compliance questions simply by telling them we used an outside card processor over the Internet and didn't store any card data locally. I still had to make sure their monthly "penetration testing" passed/didn't find issues, and had a much shorter (25 questions or so?) compliance test to fill out annually.
They complained about several issues that seemed fairly pointless in our situation, although I understood the logic behind about 80% of it. (I remember them always flagging a "warning" because our firewall allowed connections through ports necessary for regular business operations. And I believe one of their demands was that "any computer connecting to the card processing site had to be isolated from the rest of the local network". That was, IMO, overkill and created as many security issues as it solved, since we had Microsoft's WSUS running to push security patches to the workstations automatically, once approved by me -- and I wanted some kind of way to do remote administration or maintenance on these boxes, via the normal procedures used to access any other systems on the LAN.)
So basically, I tried to comply with anything listed that was reasonable -- and "fudged" things on a couple line items. I imagine that's how most companies treat this stuff?
1. Re:I got stuck doing PCI compliance before .... by vux984 · 2016-03-08 09:55 · Score: 3, Informative
  
  A small family owned business can't be PCI compliant UNLESS they outsource the compliance. PCI compliance for any on-premises card information handling requires multiple individual staff (one IT person can't 'audit' himself) responsible for different roles.
  Honestly it all makes a lot of good sense.
  Once you switch to an external card processor, life gets pretty simple. PCI compliance is on them not you. For example, an online business with a webstore, the staff never have to touch card information, so you are compliant as long as your procedures stipulate that you don't.
  For a more retail place, bring in a payment terminal, and its pretty much plug and play.
  As soon as you start entering card numbers into your own computer, then you have to start taking steps to ensure the computers aren't pwned. Virus installed and up to date, firewalled, secure network, etc. But if you don't want to deal with it, don't enter card information into your computers, and just use a payment terminal.
  
  And I believe one of their demands was that "any computer connecting to the card processing site had to be isolated from the rest of the local network". That was, IMO, overkill and created as many security issues as it solved
  In a mom and pop, it's probably all of them anyway, and the one LAN server they talk to is PART of their local area network. (Think larger businesses, where one department might handle cards but another doesn't. The computers from the other department shouldn't be on the same lan. All the computers should still be able to talk to your WSUS server though.
  Sufficient segregation can be achieved with VLANs and a router. It's not that they aren't allowed to talk to your WSUS server, its that the 30 workstations in marketing can't talk to them. Then you just have to audit your server for PCI compliance but allows you to ignore those 30 marketing PCs for PCI compliance.
  
  and I wanted some kind of way to do remote administration or maintenance on these boxes,
  A typical VPN setup should have been fine, especially if you restricted the inbound ip ranges.
  You definitely made the right choice using an external processor; you probably could have gotten through without fudging (and your network would have been genuinely slightly more secure if you'd done something along the lines of what i outlined.)
  
  (I remember them always flagging a "warning" because our firewall allowed connections through ports necessary for regular business operations.
  
  I'm not sure what this would be. Why would your firewall have wide open public facing to systems that were handling card data?
2. Re:I got stuck doing PCI compliance before .... by citizenr · 2016-03-08 16:25 · Score: 1
  
  A small family owned business can't be PCI compliant UNLESS they outsource the compliance. PCI compliance for any on-premises card information handling requires multiple individual staff (one IT person can't 'audit' himself) responsible for different roles.
  Honestly it all makes a lot of good sense.
  on paper, in reality you end up with clueless non technical pencil pushing rubber stampers playing golf with C level people.
  
  --
  Who logs in to gdm? Not I, said the duck.
3. Re:I got stuck doing PCI compliance before .... by vux984 · 2016-03-08 17:07 · Score: 1
  
  Yes and no. It's a good set of requirements, if read and implemented by competent IT people looking to achieve security.
  But you are also right, if its read by a team of lawyers looking to minimally slide through, and audited by a team of lawyers looking to let you slide through those loopholes for their rubberstamped "PASS"... then yes, you end up with with a worthless rubber stamped facsimile of a secure system.
4. Re:I got stuck doing PCI compliance before .... by Anonymous Coward · 2016-03-09 02:34 · Score: 0
  
  Once you switch to an external card processor, life gets pretty simple. PCI compliance is on them not you. For example, an online business with a webstore, the staff never have to touch card information, so you are compliant as long as your procedures stipulate that you don't.
  Wrong. Just wrong. You're still responsible for PCI compliance for any systems that host the site, even if the payment link is done via a redirect, iFrame, etc. If you're using an API to take the card info and forward it along to the third-party payment processor, your PCI compliance responsibilities increase even more, but they're still there even if you never see the card data because you're responsible for protecting the link. And if you have another company handle all the web hosting AND payment processing? Well then you still maintain responsibility for ensuring that THEY are PCI compliant, which means having specific agreements with them in place and monitoring their compliance via ROCs.
  This idea that you can escape all responsibility simply by not seeing the card data is a common myth that needs to die.
  
  For a more retail place, bring in a payment terminal, and its pretty much plug and play.
  Wrong again. You still need to do things like physically protecting the terminal and monitoring any alerts for known vulnerabilities. You need to track any known vulnerabilities with terminal devices and update their firmware as appropriate. You need to ensure they aren't printing full PANs on receipts. If they're on a network (as opposed to dialing in through POTS), there's a whole host of other requirements that come into play.
  
  Sufficient segregation can be achieved with VLANs and a router.
  This segregation is fine, but must be tested as part of the required regular penetration testing.
  
  A typical VPN setup should have been fine, especially if you restricted the inbound ip ranges.
  It is, but it has to be two-factor.
5. Re:I got stuck doing PCI compliance before .... by Anonymous Coward · 2016-03-09 02:38 · Score: 0
  
  So basically, I tried to comply with anything listed that was reasonable -- and "fudged" things on a couple line items. I imagine that's how most companies treat this stuff?
  That's exactly what the bank and the PCI SSC want to see you do. That way, you reduce the risk of a breach, but if one does happen, they can poke holes in your compliance and hit your company with a massive fine (technically they hit your bank and your bank hits you, since that's the flow of signed agreements) to make an example out of you and recover some or all of the losses.
6. Re:I got stuck doing PCI compliance before .... by vux984 · 2016-03-09 05:33 · Score: 1
  
  Wrong. Just wrong. You're still responsible for PCI compliance for any systems that host the site, even if the payment link is done via a redirect, iFrame, etc.
  Your PCI compliance amounts to little more than signing off that you aren't touching card data at all. And that you are using a PCI compliant party to handle it.
  Yes, you have some obligations to ensure that your site isn't pwned, and redirecting your customers to a fake payment gateway. But that doesn't require you have dedicated baremetal server running in the locked down PCI-DSS compliant wing of the data center. It requires some routine minimal security configuration and maintenance that you should be doing anyway, and it is not at all an onerous burdern.
  
  If you're using an API to take the card info and forward it along to the third-party payment processor, your PCI compliance responsibilities increase even more,
  
  Do that, and you expose yourself to full PCI compliance requirements, because now you ARE handling card data.
  
  This idea that you can escape all responsibility simply by not seeing the card data is a common myth that needs to die.
  Fair enough, you don't escape "ALL" responsibility, but it turns it into routine maintenance that even the smallest shops can easily comply with.
If it was PCI, that was a pass (except convenience by raymorris · 2016-03-08 09:52 · Score: 2

The PCI DSS standard explicitly allows for alternative methods of meeting the security goal, so as long as it's demonstrably secure it should pass. However, if the standard security practices aren't in place, you do have document why it's secure without the expected measures.
If this was for PCI, the auditor may have made an error, or (likely) there was an error in communication. It would be correct to say "this is secure and therefore will pass, but since it's non-standard you'll need to send in documentation to each auditor. It may be more convenient use standard practices rather than documenting non-standard practices. "
Re:If it was PCI, that was a pass (except convenie by gmack · 2016-03-08 10:01 · Score: 1

He was from IBM and not very flexible. If he didn't like it, I had to change it and most of the changes were down to network seperation. The end result was rather solid so aside from a few 12 hour days, I have no complaints.
PCI like SSL certs and tld's by future+assassin · 2016-03-08 10:10 · Score: 1

cheap way to print money from nothing,

--
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
PCI compiance: foiled by iptables by Anonymous Coward · 2016-03-08 10:49 · Score: 0

I once had a traditional credit card machine. They forced me to use their partner PCI compliance service. I was tired of dealing with the non-problems they emailed me about so I finally figured out an easy way to make it 100% foolproof: iptables DROP their scanning IP block.

Holy shit, now I'm 100% passing with no warnings! I laughed at how incredibly stupid and useless such a "service" was and never heard from them again. Then I dumped that stupid card terminal and never looked back.
PCI STANDARD IS A CRUAL HOAX by Anonymous Coward · 2016-03-08 10:50 · Score: 0

Everyone knows that scope reduction is the only economically realistic way for most businesses to become PCI compliant.
Hackers don't give a rip about scope!
So merchants can either spend 9 months a year EVERY year as Target did to maintain their now obviously worthless "PCI certification"
or PCI council be damned; build an absolutely secure but non-compliant environment.
Hey FTC you should hit up security metrics by WaffleMonster · 2016-03-08 11:00 · Score: 1

I think the FTC just hit a jackpot. For sure lots of ripe low hanging fruit to be plucked in the PCI theatre/shakedown arena.
I've personally had issues with Security Metrics. Noticed after the fact an online purchase was conducted entirely in the clear. I contacted the "secured by" banner to complain. Responses I got back were priceless. First they said they were NOT complaint even though their own site still showed they were. When I brought this up all I got was silence followed by no action taken to correct admittedly invalid assertion of certification.
Then months later they told me they were NOW compliant and found no vulnerabilities even though anyone buying something from the site never sees a secure page. All facts trivially confirmed with seconds of manual effort. Even when I brought it up over a series of months, being very polite giving them plenty of time to respond/correct it was like talking to a brick wall.
Nobody cares and nobody seems to have a REASON to care.
From PCI gods to ASAs on down everyone in the chain explicitly disclaims responsibility for their own (in)actions.
1. Re:Hey FTC you should hit up security metrics by Anonymous Coward · 2016-03-09 10:30 · Score: 0
  
  I think the FTC just hit a jackpot. For sure lots of ripe low hanging fruit to be plucked in the PCI theatre/shakedown arena.
  I've personally had issues with Security Metrics. Noticed after the fact an online purchase was conducted entirely in the clear. I contacted the "secured by" banner to complain. Responses I got back were priceless. First they said they were NOT complaint even though their own site still showed they were. When I brought this up all I got was silence followed by no action taken to correct admittedly invalid assertion of certification.
  Then months later they told me they were NOW compliant and found no vulnerabilities even though anyone buying something from the site never sees a secure page. All facts trivially confirmed with seconds of manual effort. Even when I brought it up over a series of months, being very polite giving them plenty of time to respond/correct it was like talking to a brick wall.
  Nobody cares and nobody seems to have a REASON to care.
  From PCI gods to ASAs on down everyone in the chain explicitly disclaims responsibility for their own (in)actions.
  Any website selling items that does not put me on a valid secure connection once I get to the point where I enter in personal identification information is automatically blacklisted (which means that my family and a fair bit of my extended family and friends will not go there to buy stuff). It is very rare to not have alternative source for an item so I can be picky if I want to...
Never gonna give you up... by Anonymous Coward · 2016-03-08 16:20 · Score: 0

Face it: you will *never* control Rick.
It's worse than that even by Anonymous Coward · 2016-03-08 17:35 · Score: 0

It's burdensome security theater. Every year I do the annual assessment and go through 30-40 pages of clicking "yes". I don't even bother reading the questions anymore because exceptions and explanations are automatically rejected with no recourse to have a human with common sense review them.
We need an open source standard that replaces PCI with something that's actually secure.
How do you handle this situation? by Anonymous Coward · 2016-03-08 17:42 · Score: 0

I work for a company that is in clear violation of PCI compliance with no real solution. We sell things that are often backordered for days/weeks/months. Customers want the items because we're the only supplier. We store all credit card information until the items come in, then we process it and wipe it.
The only alternatives are to charge up front for the stuff, which we can't do because customers get pissed when they get charged and the item hasn't shipped or we can wipe the card information and call them to manually recapture it over the phone once we have the items in stock. Not very practical due to the volume and the low margin. We'd need a call center about 20 times the size of our current setup.
We open a connection once a day (automated), transfer all these numbers to and from our server that captures the CC Info to begin with. They sit on a server with no other network connection than this brief transfer window. Once they're processed they are wiped. I feel like it's about as secure as we can get.
If anyone has a better solution, I'd love to hear it.
1. Re:How do you handle this situation? by Anonymous Coward · 2016-03-09 01:21 · Score: 0
  
  Check with your CC processor to see if they can supply a token to you that can be used (only by you) for a future transaction and make sure everything you are storing is encrypted. It is called Credit Card Tokenization. This way you are not storing your customers information.
PCI DSS is a mixed bag by Beryllium+Sphere(tm) · 2016-03-08 18:08 · Score: 1

At its best it's prescriptive and incorporates some sound practices. At its worst, it's as bad as you say.
At least one cynical person has suspected it's all just a way for the card issuers to shift liability to merchants ("Your Honor, we will show the defendant was out of compliance with the following vague language ...").
At least it's better than HIPAA but that's setting the bar pretty low.
How we dealt with PCI compliance by Anonymous Coward · 2016-03-09 02:46 · Score: 0

First, our network hardware is specified by an outside vendor. We have no choice but to use the equipment we're given to employ the system we use for our non-credit-card-processing part of our business. (Sucks, but that's how it is if we want ongoing support.) We weren't going to go to the expense of creating a dedicated network and internet service just for a digital POS to run credit cards.
Second, we got one too many, "OH NOES! YOU MUST CHANGE THIS, THIS, AND THAT," such as open ports which our system requires to be open and similar issues. And on certain issues, our support vendor (who doesn't give a flying frak about our processing credit cards since we don't use the vendor's solution,) absolutely refused to address the issues causing some of the fails.
No we can't change vendors. But since we accept credit cards at only one point and we have fist fulls of DID phone numbers, we rolled back to using a phone line credit card machine and got a machine that can handle chips at the same time.
Which works for us just as well, and we don't have the hassle of dealing with PCI intrusion testing. (We still do PCI compliance, but it is ever so much simpler without the internet component. And I highly recommend any small business either do the same or go with Square or other such companies where one doesn't have to screw around with it.)
PCI: Protecting the hardlines of America.
(And don't get me started on how PCI shifts responsibility away from CC companies and CC equipment vendors onto the merchants, or that it is impossible to be PCI compliant and have a breach because the last step of certification essentially says if you have a breach you must not have been PCI compliant.)
re: open ports on firewall by King_TJ · 2016-03-09 04:16 · Score: 1

The reason we kept getting flagged for open firewall ports is because the only connection in or out of the Internet was via that firewall and router. So any outside "penetration testing" had to test against the firewall and whatever it saw behind it.
The rules we had configured were to allow certain ports to forward to specific servers though .... nothing related to the workstation in the office running the card processor's software. But their automated testing didn't care. It wasn't intelligent enough to know that those ports led to things like our in-house Exchange server, or ability to connect to a terminal emulation session to a Unix box running an ancient software package for sales and CRM. They just said, "point us to your IP address so we can test it" and that's the only IP we had to give them.
Re: open ports on firewall by vux984 · 2016-03-09 05:11 · Score: 1

The reason we kept getting flagged for open firewall ports is because the only connection in or out of the Internet was via that firewall and router. So any outside "penetration testing" had to test against the firewall and whatever it saw behind it.
Yeah, I suspected this was the case after I posted.
But that is essentially why they were "only" warnings. You get the list of open ports, and you sanity check each one.
Imagine if you were the actual online processor handling webstores... your front facing web server is GOING to be open on the HTTPS port for communications with the various embedded iframes or whatever widget you are using for your customers.
They'll do the pen-test and they'll flag that port open with a warning.
You'll get the report, see that HTTPS is open, and rubberstamp it as a-ok, because you know that port is supposed to be open.
If the report comes back with another port open, though, that will be flagged as well, and you might do a double-take, hey... that is NOT supposed to be open.
In your case, the open ports list you know are port forwarded to legitimate services on diffrent machines, so you can disregard them. But if that warning list came in one year with a port you weren't aware of... you'd follow up, and investigate it. That is the point of the port flagging and warning... not because you can't have open ports and be in compliance, but because you should be aware of each one, what it is for, and where it goes.
Comment removed by account_deleted · 2016-03-10 00:11 · Score: 1

Comment removed based on user account deletion