Slashdot Mirror

← Back to Stories (view on slashdot.org)

FTC Demands Info From PCI Auditors On Breached Companies' Compliance

Posted by timothy on from the show-me-on-the-doll dept.

Trailrunner7 writes: The Federal Trade Commission has sent an order to nine of the larger companies that do PCI DSS assessments, demanding that the organizations turn over detailed information on how they conduct those audits, how often they actually declare a company non-compliant, and many other details. The FTC on Monday said it has sent orders to nine of these companies, including Mandiant, PricewaterhouseCoopers, and Verizon Enterprise Solutions, requiring that they provide details of how they handle those assessments. Specifically, the FTC is very interested in how many companies were deemed PCI compliant in the year before they suffered a data breach. Many companies that have been victims of data breaches over the years have touted the fact that they were PCI compliant at the time of their breaches. This has not escaped the FTC's notice

2 of 101 comments (clear)

  1. Re:joek by Anonymous Coward · · Score: 3, Insightful

    I had a retail company that ran credit cards. We had to "'pass" an "audit" yearly. Took $99 to pass, simple as that. They supposedly did "auto" testing on the IP address for our store. Which was a dynamic IP address to start with and was not static. Small ma-n-pa retail shop. So while they had an IP address when I first logged into their website, they continued testing that one IP address after it had changed dozens of times and still continue to test that old Comcast IP address even though the store now runs through a different provider...

    It's a joke and a scam

  2. Re:joek by TechyImmigrant · · Score: 2, Insightful

    They failed my wife's company web site for PCI compliance, not because it wasn't PCI compliant, but they hit the honey pot (advertising an old version of mysql) I installed to create filter block lists for the intrusion filtering. So I pre-filtered the pointless PCI scanning service and the problem went away.

    The PCI-DSS specs are written by incompetents. They exude incompetence. The documents seem to encourage an understanding that as long as you write down a bunch of procedures, your computers will be secure.

    PCI-DSS is responsible for the ease of committing payment card fraud, by occupying the space that could otherwise be occupied by a comptent organization taking effective steps to improve the security of payment mechanisms.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.