Slashdot Mirror

← Back to Stories (view on slashdot.org)

FTC Demands Info From PCI Auditors On Breached Companies' Compliance

Posted by timothy on from the show-me-on-the-doll dept.

Trailrunner7 writes: The Federal Trade Commission has sent an order to nine of the larger companies that do PCI DSS assessments, demanding that the organizations turn over detailed information on how they conduct those audits, how often they actually declare a company non-compliant, and many other details. The FTC on Monday said it has sent orders to nine of these companies, including Mandiant, PricewaterhouseCoopers, and Verizon Enterprise Solutions, requiring that they provide details of how they handle those assessments. Specifically, the FTC is very interested in how many companies were deemed PCI compliant in the year before they suffered a data breach. Many companies that have been victims of data breaches over the years have touted the fact that they were PCI compliant at the time of their breaches. This has not escaped the FTC's notice

58 of 101 comments (clear)

  1. joek by blackomegax · · Score: 2

    PCI compliance is a joke anyway. 100% security theater.

    1. Re: joek by Anonymous Coward · · Score: 3, Funny

      Yeah,and PCI express is much faster anyway.

    2. Re:joek by Anonymous Coward · · Score: 3, Insightful

      I had a retail company that ran credit cards. We had to "'pass" an "audit" yearly. Took $99 to pass, simple as that. They supposedly did "auto" testing on the IP address for our store. Which was a dynamic IP address to start with and was not static. Small ma-n-pa retail shop. So while they had an IP address when I first logged into their website, they continued testing that one IP address after it had changed dozens of times and still continue to test that old Comcast IP address even though the store now runs through a different provider...

      It's a joke and a scam

    3. Re:joek by Anonymous Coward · · Score: 1

      PCI compliance is a joke anyway. 100% security theater.

      I'm a PCI qualified security assessor for a smaller firm, not one of the ones that was included in the above list. For one thing, compliance is not necessarily the same thing as security. And while there are some subrequirements of questionable effectiveness, none of them would qualify as 'security theater'. If I had to level a criticism on the entire system, it's this: The rigor of testing from firm to firm, and willingness to interpret requirements in ways that are beneficial to lazy sysadmins varies greatly. When assessor firms are trying to win contracts, they may not leave enough hours to sufficiently test an environment, so they cut corners and miss things. Companies that don't see eye to eye with their QSAs (for example, we break the news that a very expensive configuration is not compliant) will ditch them, and shop for someone who will agree with them. This isn't allowed, but I haven't heard much in the way of enforcement.

      To the article's point, what both assessed companies and the FTC need to understand is that assessments are a point in time. They may have recently gotten a clean report on compliance, but they probably still were not PCI compliant at the time of breach. And just because you're PCI compliant doesn't mean that you won't get breached. Like any other compliance measure, it is simply the cost of entry to be a standard-bearer of major card brands.

    4. Re:joek by tnk1 · · Score: 1

      Speaking as someone who has been in charge of PCI compliance (it was v2, not v3) for a small company, I disagree, but I understand why you would think so.

      Many of the PCI requirements are simply common sense. You'd want to run your security that way anyway.

      There are a few provisions of the PCI DSS where security people could have an honest disagreement with the actual requirements. In those cases, you could present compensating controls which mitigate the issues, which would make it harder for you to convince an auditor to sign you off, but in the end, they are accepted if this is a well researched change.

      One of the biggest flaws I have seen is that every PCI level below Level 1 is a self-certification unless the bank in question requires you to have an audit at the lower level. Admittedly, I see where audits are very expensive, but if you're handling credit card data, there should be at least some sort of sign off.

      Obviously, moving to the auditors, the auditors are hired by the company. That usually doesn't mean much, as no auditor is going to risk their reputation for the peanuts I was paying them, but bigger companies they may be more willing to play ball with. There has been at least one auditor in that space that I am aware has either provided a product that gives certification for mere payment on-time (we obviously didn't go with them) or they will bend over to make their customer able to pass.

      While I agree this is a serious problem, I don't think it discredits the program, it is merely a hole in enforcement which you would have to deal with in any regime where big companies are involved. The big companies are good at this, it's not like they don't regularly pull one over on the government too.

      But the one thing that I think keeps people on their toes is actual third party audits which are reported out. As you might argue, some companies create what I would call "compliance fictions" that allow a once-per-year audit to be passed without actually having to change bad practices, but what are the other options that are not difficult to operate? I spend months ensuring that our security is up to par with all the reporting that we do, but if the reporting becomes too onerous, we end up having to hire more people, which is very difficult unless you are a bigger company. Regulations do have the effect of making big companies much more attractive as providers, but as we know, those sorts of companies are both more expensive, less innovative, and much more likely to attempt to influence lawmakers with their large amounts of money.

      The best things we can do are keep the auditors honest. It may be that we find a way for auditors to not be funded by companies directly, but rather through program fees paid to a trade organization. I'd prefer to keep the government out of this, as the government's security programs aren't much better outside of the classified realm, and their requirements and working with agencies and their security contractors makes me want to stab myself repeatedly just to end the pain.

         

    5. Re:joek by Anonymous Coward · · Score: 2, Funny

      I'm a PCI qualified security assessor for a smaller firm

      I'm a prince from Nigeria too! We should meet up for coffee sometime and discuss our strategies. You seem to be flying under some sort of legal banner that makes it easier for you to take money from unsuspecting people. I'd like to learn how you do this.

    6. Re:joek by Anonymous Coward · · Score: 1

      As I posted anonymously above, big companies can buy and bully their way into PCI compliance.

      Small companies can't literally afford to take it as a joke. At the company I worked for, we had enough money budgeted for one PCI audit. If we failed the audit then our company would be out of business. Two people including myself were hired because we didn't have enough personnel to have any hope of passing.

      As a result you see breaches at large companies who have clearly shopped around for the most useless auditor, have thrown money around, or have thrown lawyers around to subvert the process.

    7. Re:joek by KitFox · · Score: 1

      A different consideration can be summed up in the idea that PCI Compliance makes a company "impossible to be hacked" in the same sense that being an "important and secure government agency" makes the FBI "impossible to be hacked". A frequent view is that PCI DSS means nothing at all because even fully-compliant companies can be hacked.

      The middle ground is the concept that PCI Compliance just makes the company less likely to be breached and the recognition that common sense isn't all that common (despite the sads this causes for people who would think "don't store PII unencrypted" should be akin to "don't stab yourself in the eye with a fork in an attempt to improve your vision"). PCI compliant companies can (and will) still be hacked. This is more of a question of "Is the PCI standard a proper balance to reduce the threat, and were these companies -really- PCI compliant, or just saying they were and so we need to revisit how we are addressing this one way or another?"

      --

      @Whee

    8. Re:joek by sconeu · · Score: 1

      My read:

      PCI compliance makes you less likely to be breached -- but you still can be breached.
      PCI compliance mitigates the damage caused by said breach -- but you're still responsible.

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    9. Re:joek by Zaelath · · Score: 1

      Well, this is either a complete fabrication or someone is selling PCI audit stickers for $100. I can guarantee PWC isn't charging $100...

      I can give you a degree from Kenosis University for $100 too.

    10. Re:joek by The-Ixian · · Score: 1

      I did IT consulting for SOHO to small business customers for years.

      I have set up many credit card machines and somewhere along the line these tests became required.

      It really is a total scam. They just run a glorified nmap scan of your network and try to find all of the things that are open.

      In my experience, every open port, no matter what, was flagged and assigned some kind of positive point value... Get enough points and you "fail".

      My general practice was to turn off any external facing services, queue up the test, wait for it to complete then turn on the services again.

      --
      My eyes reflect the stars and a smile lights up my face.
    11. Re:joek by nuckfuts · · Score: 1

      I've been alerted to vulnerabilities on an Internet-facing host after being scanned for PCI compliance. I found the notifications useful and informative.

    12. Re:joek by Anonymous Coward · · Score: 1

      Auditors are easily suppressed or evaded. I had an auditor once who asked excellent questions and was able to piece together a lot despite lots of obfuscation. A call to his boss and he got back in line. Despite 12 months of CC numbers with CCV and expiry being stored in a plaintext file on the server, no negative findings. This is for a backend gateway, not a merchant (ie you'd expect the rules to apply even more). PCI-DSS is an absolute lie. It exists for the purpose of insurance and marketing. It is true that a lot of companies would like to have those very basics covered, and generally will. But they won't pay someone to bring their rep down just because the company didnt want to spend the time and money on meeting the requirements. Its true that an auditor doesnt want their rep harmed by giving out lousy approvals, but there are 2 counters. For smaller auditors, a negative finding against their client means no more clients want them (or not enough to be a stable business). For larger auditors I thought we'd be boned. Turns out, larger auditors belong to larger orgs with a more diverse presence in the industry. e.g. Verizon's auditors may be reined in if their finding might harm Verizon's hosting services.

      A clever counter to this (human corruption) is improved tools. There is a tool that searches for any possible credti card numbers on the local machine. Earlier versions you could pause. So you let it run to 98%, then pause it. Review its logs to locate all the violations, then go clean them. Then restart the tool. Later versions would notify the auditor if you paused it. It was easy to block this or lie to the auditor (or suffer a server crash at a convenient time), but obviously a lot more suspicious.

    13. Re:joek by TechyImmigrant · · Score: 2, Insightful

      They failed my wife's company web site for PCI compliance, not because it wasn't PCI compliant, but they hit the honey pot (advertising an old version of mysql) I installed to create filter block lists for the intrusion filtering. So I pre-filtered the pointless PCI scanning service and the problem went away.

      The PCI-DSS specs are written by incompetents. They exude incompetence. The documents seem to encourage an understanding that as long as you write down a bunch of procedures, your computers will be secure.

      PCI-DSS is responsible for the ease of committing payment card fraud, by occupying the space that could otherwise be occupied by a comptent organization taking effective steps to improve the security of payment mechanisms.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    14. Re:joek by TechyImmigrant · · Score: 1

      PCI compliance is a joke anyway. 100% security theater.

      I'm a PCI qualified security assessor for a smaller firm, not one of the ones that was included in the above list. For one thing, compliance is not necessarily the same thing as security. And while there are some subrequirements of questionable effectiveness, none of them would qualify as 'security theater'. If I had to level a criticism on the entire system, it's this: The rigor of testing from firm to firm, and willingness to interpret requirements in ways that are beneficial to lazy sysadmins varies greatly. When assessor firms are trying to win contracts, they may not leave enough hours to sufficiently test an environment, so they cut corners and miss things. Companies that don't see eye to eye with their QSAs (for example, we break the news that a very expensive configuration is not compliant) will ditch them, and shop for someone who will agree with them. This isn't allowed, but I haven't heard much in the way of enforcement.

      To the article's point, what both assessed companies and the FTC need to understand is that assessments are a point in time. They may have recently gotten a clean report on compliance, but they probably still were not PCI compliant at the time of breach. And just because you're PCI compliant doesn't mean that you won't get breached. Like any other compliance measure, it is simply the cost of entry to be a standard-bearer of major card brands.

      What you didn't mention is that the companies are being subject to blackmail. Pay $100 and get a PCI stamp of approval, or pay a higher per-transaction credit card fee. How this is not illegal is beyond me.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    15. Re:joek by tnk1 · · Score: 1

      PCI compliance is merely showing that you have done a due diligence and audited check of your security against (mostly) sound security principles.

      Reality is... PCI can't stop all attacks. Not much can, truth be told, unless you're an NSA level operator, and even they suffered an Edward Snowden. The proper process and security program can stop some of the attacks and mitigate the damage of successful attacks.

      In terms of legal liability, IANAL so it is hard to say what effect it will have, but it could reduce it to near zero, if you can prove that you had a good faith attempt to secure your application.

      On the other hand, as an application provider, you also have specialized knowledge of your application and you should be able to do better than the PCI bare minimum, so if you fail to secure areas that are in your own area of reasonable expertise, you may suffer liability, but hopefully less liability than someone who failed or gamed the PCI process.

      After all, if you lock your door and secure it, but a thief is somehow able to easily remove the bricks for your wall and smash through the drywall to get in and take your stuff, there's really only so far you can go to protect your stuff.

      If done right, this handles the low hanging fruits, and possibly some of the middle ground, but it can't do squat against 0-day attacks that no one else knows about. Most companies have no ability to gain knowledge of 0-day attacks, and as we saw with Heartbleed, it can go on for years before it becomes public.

      Further, before Heartbleed was public, it was also a lot less well known to all possible attackers. Once publicized, the race is on to prevent everyone else out there from using it, and if PCI is working properly, you may not stop the 0-day attacks, but you won't have your pants down after they have been announced.

      So, PCI, or some regime is a necessary, but not complete method of stopping attacks. It's part of a defense in depth approach.

    16. Re:joek by Acid-Duck · · Score: 2

      Since no one else did yet and you seem to be oblivious to this fact, allow me to be the first to say so:

      While PCI audits aren't perfect, people like you are the bigger problem. You're too god damned lazy to read (and probably too stupid) to understand or even act on the feedback provided by the report so instead you cheat to pass the test.

      One of the most confusing aspects of PCI audits for noobs like yourself is the fact that applications installed using package managers (as opposed to compiled from source) will often have inferior version numbers, despite the fact they're still safe since security patches are back-ported.

    17. Re:joek by tnk1 · · Score: 1

      I think what you're saying is a serious problem with the enforcement system, and I know companies do this.

      I do want to be careful though. One place I worked, they said that PCI was a joke for the reasons that you stated, but I know they said that just because they couldn't be arsed to do PCI for real and knew we wouldn't be able to skate by.

      So, it is important to differentiate the actual process of having audits and standards with how those audits are run. I agree that we need a new process for enforcement, but I want to make sure that we aren't just feeding the excuses of people like those I worked with, who were more than happy to trash PCI so that they could get on with making products with little regard for security except where they thought it would look good as a fancy looking "feature" they could sell, but left the door wide open in other areas like secure coding and operating the environment.

    18. Re:joek by TechyImmigrant · · Score: 1

      Bullshit. What part of credit card handling involving a third party processor, doesn't requires the $100 charge in return for reduced transaction fees? The standard isn't public. It's the work of a cartel. I can read it, but I have no democratic influence over its contents. Once I have transferred my credit card processing fully to a third party (I have), I still have to pay the protection money to avoid the higher charges.
       

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    19. Re:joek by Anonymous Coward · · Score: 1

      One of the most confusing aspects of PCI audits for noobs like yourself is the fact that applications installed using package managers (as opposed to compiled from source) will often have inferior version numbers, despite the fact they're still safe since security patches are back-ported.

      Which is why people work around the increasingly useless audits. You either spend ten minutes prepping for it, or you spend weeks arguing that yes, RedHat backported a resolution to that security problem six fucking years ago, you dickless felchers.

    20. Re:joek by TechyImmigrant · · Score: 1

      I did not cheat the test. The test was a fraudulent, claiming to identify flaws in my network that were not present.

      What I want is for the payment processing industry to adopt well understood cryptographic methods to enable customers to pay vendors, without exposing usable credentials to the vendor and to cease with the blackmail tactics that they use as a substitute.
       

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    21. Re: joek by cdwiegand · · Score: 1

      And then they charge more, or just fail you anyways because they must know more than you or you'd be in that business yourself. It's lame, but it's also really easy for online sites to offload PCI compliance through almost every processor out there, so there's no reason to store the cc info yourself.

      --
      . Define sqrt(x) as something really evil like (x / rand()), and bury it deep. Watch your coworkers go nuts.
    22. Re:joek by Anonymous Coward · · Score: 1

      I work for a managed service provider and, among many other things, I provide support for linux-based clients who failed their PCI-DSS audit. Addressing a failure which is based on miss-matched versions is as easy as pointing to the changelog documentation for your currently installed package and highlighting to the auditor the part of the changelog which specifically addresses the security vulnerability found in the audit report. It usually takes me ~1min per item to address such failures. Like someone already said, these audits aren't perfect however there are valid recommendations in them.

      Another important comment which was already made: A "pass" means the system was compliant at that specific point in time. Some new weakness could of been discovered a week later (or even the next day) and then suddenly the system is vulnerable to an attack, despite having passed PCI-DSS the day before.

      Just because you don't like the way things are done, or you find them to be inefficient, doesn't mean you should put your employer/clients at risk by cheating on their PCI-DSS audits. I agree with the above poster, people like you are part of the problem.

         

    23. Re:joek by Chuck+Chunder · · Score: 1

      I did not cheat the test. The test was a fraudulent, claiming to identify flaws in my network that were not present.

      Well, you did "cheat" the test. A scan is just a scan, it isn't 'fraudulently' doing anything, it's just reporting a possible problem. It's up to you to justify any listening port with a business reason and demonstrate appropriate controls for the service.

      Of course it's not immediately clear what sort of compliancy tests you are doing. If it's just Tier 3 then you probably not paying much for your ASV and they are geared (and priced) for scenarios where scans show very little is in scope and not much manual appraisal is done. If it's a higher tier then you should be dealing with people who take the time (and are being paid to) to understand your system and make an informed assessment.

      PCI isn't perfect but isn't awful as a set of minimum standards and guidelines.

      --
      Boffoonery - downloadable Comedy Benefit for Bletchley Park
    24. Re:joek by TechyImmigrant · · Score: 1

      The PCI can is indeed awful, because (1) the actions it has people take have no effect on the underlaying insecurity of the payment card systems and (2) it comes with a 'pay us or we have the banks charge you more transaction fees' threat for this useless service . The payment card industry needs to fix its crappy, insecure payment cards first before accusing businesses, who have no control over the payment card industry that the cause of insecurity it their fault for not paying for a PCI scan.
       

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    25. Re:joek by Bert64 · · Score: 1

      Just because you are compliant, does not mean you're secure.
      That said, PCI compliance is an obstacle to business and most of the PCI accreditors are not very technically minded so a lot of companies blag their way through by misleading their QSA...

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    26. Re:joek by Bert64 · · Score: 1

      Often those audits are based purely on a blind external scan, so while you get the false positives due to backported security fixes you can also get false negatives where the banners have been turned off or changed.

      To do the job properly, you really need access to the host so you can audit it thoroughly and determine whats installed, how its installed and wether it has backported patches or similar but a lot of clients don't want to do that... They think that a completely blind test is "more realistic", despite the fact that you have numerous limitations imposed on you (limited time, can only attack the specific targets and not try looking for other less obvious ways in, cant do anything that might risk crashing the host or service etc).

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    27. Re:joek by Bert64 · · Score: 1

      PCI-DSS is responsible for the ease of committing payment card fraud, by occupying the space that could otherwise be occupied by a comptent organization taking effective steps to improve the security of payment mechanisms.

      The PCI-DSS specs are a huge compromise... If they made them too tough then the vast majority of companies would be completely unable to be compliant with their existing systems, and would basically have to build an entire new network for dealing with card data. If you make something too difficult then noone will do it at all, and noone would ever enforce that because the card companies actually want people to use cards.

      So what you have instead is a baby step, PCI-DSS may not be very good but it's better than the only actual alternative - nothing at all.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    28. Re:joek by Chuck+Chunder · · Score: 1

      The payment card industry needs to fix its crappy, insecure payment cards first before accusing businesses,

      It's not entirely clear what you mean by "payment card industry". The "payment card industry" is everybody, including "businesses" and there's an awful lot of existing infrastructure all that has to keep working. It sounds like you are complaining about card schemes (Visa, MasterCard, Amex) but the Tokenisation stuff they've come up with via EMVco is pretty good, it's just there's an awful lot of infrastructure (including at "businesses") that needs to be updated to work with it. (Indeed EMV one time payment tokens appear to be one of the modes supported by ApplePay, so it's probable that people are doing such payments today, but probably only in cases where the cardholder's bank supports it, the merchant supports it in their app, and the merchant's payment gateway supports it, etc etc etc).

      But saying the payment industry should do X "before" trying to improve security at businesses is ludicrous, security is about dealing with the real world and trying to make what is already there better, not doing nothing until some ideal solution becomes available.

      --
      Boffoonery - downloadable Comedy Benefit for Bletchley Park
    29. Re:joek by TechyImmigrant · · Score: 1

      PCI as in the PCI in PCI-DSS and the associated companies responsible for plaintext magstripe credentials still being in use today.

      Saying "We're EMVco and we're so awesome for developing chip & pin" while mag stripes are still accepted everywhere and the mostly pointless chip & signature is what is foisted on the public is pretty bloody disingenuous.

      We have a business with a store and at no point have we been given the option of buying or using payment equipment that can only be placed in a secure configuration.

      It is the classic security faux pas of securing the front door (and not very well) while leaving the back window open. No criminal needs to bother cracking chip&pin when they plaintext mag stripes are in broad use.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    30. Re:joek by RockDoctor · · Score: 1
      I still remain completely in the dark.

      From your description, your work in $JURISDICTION$?

      But , does this ruling apply to $OTHER_JURISDICTION$?

      I don;t live in America, and have no desire to visit America, or to conduct business with anyone whose contract law is based in America.

      Do I need to concern myself with someone called "FTC"?

      --
      Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
  2. Conflict of interest by Aaden42 · · Score: 1

    This could get interesting. It always bugged me a bit that you’re paying a company (you’re their client) to give you a stamp of approval, and the only thing you need to avoid a bunch of liability is that stamp of approval. Doesn’t seem like there’s any disincentive to them to just pass you if you give them enough money. Maybe they fail you, you pay a bunch of hush^Wconsulting money for them to help you get compliant, then they pass you.

    There’s definitely a lot of good things in PCI-DSS, but there’s a difference between getting a bunch of checkmarks on a list versus actually incorporating the security recommendations into your development cycle and systems design.

  3. Commie fascism! by fuzzyfuzzyfungus · · Score: 2, Funny

    How dare the dead hand of state interference meddle with an industry that has gone to all the trouble of developing a ceremonial 'self regulation' procedure?

    1. Re:Commie fascism! by rsborg · · Score: 2

      How dare the dead hand of state interference meddle with an industry that has gone to all the trouble of developing a ceremonial 'self regulation' procedure?

      Because the invisible hand is very good at stealing from us?

      --
      Make sure everyone's vote counts: Verified Voting
  4. Pay to win. by BrookHarty · · Score: 2

    If the compliance company won't help you pass, they wont be in business long. Compliance companies want customers to pass, so they get hired again and not black listed.

    This is why nobody is failing.

    1. Re:Pay to win. by tnk1 · · Score: 1

      Well, they can't just walk in there, tell you that you fail, and walk out. I mean, you *could* do that, but you don't want a standard to immediately put you out of business if you have a flawed, but good faith effort to comply. PCI is not about hitting a target and nothing else. You want an auditor to work with you to get you back into shape.

      Of course, you're probably suggesting that the "help" isn't from improvements, but rather from gaming the system. In that sense, it is possible for that to happen. I think the funding for audits should come from a different place, or some other organization selects the auditor if the audit target is paying for it.

      That said, we should certainly not put all our fish into the PCI basket. Security is definitely not something that comes out of a set of requirements for a certification. At best it is a framework for you to use to get your InfoSec program to a certain minimum standard.

    2. Re:Pay to win. by geekmux · · Score: 1

      If the compliance company won't help you pass, they wont be in business long. Compliance companies want customers to pass, so they get hired again and not black listed.

      This is why nobody is failing.

      Wanna know a surefire way to short-circuit that bullshit from happening? Hold the asshats "helping" you pass legally liable for the systems they certify as compliant.

      I know that will likely never happen, and we'll continue this political ass-kissing game of validation by palm grease.

      In light of that, what needs to happen is companies that suffer massive breaches stand up and sue the living shit out of the org that certified them as compliant.

  5. Yeah! by sotweed · · Score: 2

    Great idea for the FTC to do this, and very appropriate. The breach business is getting out of hand.

    Unfortunately, in a situation like this, it is common, if not habitual, for organizations to be compliant with
    the standard, or the government rules, and rest there. Those standards, such as PCI in this case, should be
    regarded as the minimum they have to do, not the maximum.

  6. We'll help you fix things to pass. We're audited by raymorris · · Score: 2

    We'll "help you pass", and help you be more secure, by telling you where some of your vulnerabilities are and giving you pointers on how to fix them.

    The PCI DSS company is itself audited. The company I work for is preparing for our annual audit right now and we're improving our scanning in order to pass the test. Those improvements are improvements in how well we scan our customers.

  7. What? by ArchieBunker · · Score: 1

    Any idea what "PCI DSS assessments" means? Don't utilize that new fangled thing called a hyperlink to let anyone know.

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
    1. Re:What? by SeaFox · · Score: 1

      This is the Information Superhighway 2.0, where everything is toll roads. You're supposed to go "Hey Google, what's a PCI DSS assessment?" to your smartphone instead of using that archaic mouse to click a link to an actual authority of the topic.

    2. Re:What? by citizenr · · Score: 1

      its probably things like this: http://csrc.nist.gov/publicati...
      = determining needed password length based on assumption of using 300 baud modem connection to the server etc

      --
      Who logs in to gdm? Not I, said the duck.
  8. Re:We'll help you fix things to pass. We're audite by gmack · · Score: 1

    This is how it was for the company I worked for a few years ago. The auditor walked in said "it's secure but it doesn't meet the standard" and I had to spend the next 3 days reworking my network setup in order to pass.

  9. Re:Yeah! by IT.luddite · · Score: 1

    That's why it's security compliance and not security. You get what you measure, and you're measuring the minimum.

  10. This happens all the time (see The Big Short) by rsborg · · Score: 1

    This could get interesting. It always bugged me a bit that you’re paying a company (you’re their client) to give you a stamp of approval, and the only thing you need to avoid a bunch of liability is that stamp of approval. Doesn’t seem like there’s any disincentive to them to just pass you if you give them enough money. Maybe they fail you, you pay a bunch of hush^Wconsulting money for them to help you get compliant, then they pass you.

    There’s definitely a lot of good things in PCI-DSS, but there’s a difference between getting a bunch of checkmarks on a list versus actually incorporating the security recommendations into your development cycle and systems design.

    The financial crisis was made possible by a willful negligence on the part of ratings agencies and big banks who paid to have their financial instruments rated.

    The Enron crisis had the same hallmarks.

    This shit is still going on in a lot of places. Glad to see the FTC putting it's teeth into some of it.

    --
    Make sure everyone's vote counts: Verified Voting
  11. I got stuck doing PCI compliance before .... by King_TJ · · Score: 1

    At a previous job (small "family owned" business), they really didn't even handle credit cards very often. But every once in a while, they'd get the walk-in or phone in customer who wanted to pay with one. As the only I.T. guy on staff, I was tossed the mandate to "do the PCI compliance thing, since our bank says we need to start doing it".

    I had to do kind of a crash course in it (while they signed us up with a company who would certify us "compliant" after I jumped through all of their hoops).

    It's been a while now, but as I recall -- I was able to skip a huge test full of compliance questions simply by telling them we used an outside card processor over the Internet and didn't store any card data locally. I still had to make sure their monthly "penetration testing" passed/didn't find issues, and had a much shorter (25 questions or so?) compliance test to fill out annually.

    They complained about several issues that seemed fairly pointless in our situation, although I understood the logic behind about 80% of it. (I remember them always flagging a "warning" because our firewall allowed connections through ports necessary for regular business operations. And I believe one of their demands was that "any computer connecting to the card processing site had to be isolated from the rest of the local network". That was, IMO, overkill and created as many security issues as it solved, since we had Microsoft's WSUS running to push security patches to the workstations automatically, once approved by me -- and I wanted some kind of way to do remote administration or maintenance on these boxes, via the normal procedures used to access any other systems on the LAN.)

    So basically, I tried to comply with anything listed that was reasonable -- and "fudged" things on a couple line items. I imagine that's how most companies treat this stuff?

    1. Re:I got stuck doing PCI compliance before .... by vux984 · · Score: 3, Informative

      A small family owned business can't be PCI compliant UNLESS they outsource the compliance. PCI compliance for any on-premises card information handling requires multiple individual staff (one IT person can't 'audit' himself) responsible for different roles.

      Honestly it all makes a lot of good sense.

      Once you switch to an external card processor, life gets pretty simple. PCI compliance is on them not you. For example, an online business with a webstore, the staff never have to touch card information, so you are compliant as long as your procedures stipulate that you don't.

      For a more retail place, bring in a payment terminal, and its pretty much plug and play.

      As soon as you start entering card numbers into your own computer, then you have to start taking steps to ensure the computers aren't pwned. Virus installed and up to date, firewalled, secure network, etc. But if you don't want to deal with it, don't enter card information into your computers, and just use a payment terminal.

      And I believe one of their demands was that "any computer connecting to the card processing site had to be isolated from the rest of the local network". That was, IMO, overkill and created as many security issues as it solved

      In a mom and pop, it's probably all of them anyway, and the one LAN server they talk to is PART of their local area network. (Think larger businesses, where one department might handle cards but another doesn't. The computers from the other department shouldn't be on the same lan. All the computers should still be able to talk to your WSUS server though.

      Sufficient segregation can be achieved with VLANs and a router. It's not that they aren't allowed to talk to your WSUS server, its that the 30 workstations in marketing can't talk to them. Then you just have to audit your server for PCI compliance but allows you to ignore those 30 marketing PCs for PCI compliance.

      and I wanted some kind of way to do remote administration or maintenance on these boxes,

      A typical VPN setup should have been fine, especially if you restricted the inbound ip ranges.

      You definitely made the right choice using an external processor; you probably could have gotten through without fudging (and your network would have been genuinely slightly more secure if you'd done something along the lines of what i outlined.)

      (I remember them always flagging a "warning" because our firewall allowed connections through ports necessary for regular business operations.

      I'm not sure what this would be. Why would your firewall have wide open public facing to systems that were handling card data?

    2. Re:I got stuck doing PCI compliance before .... by citizenr · · Score: 1

      A small family owned business can't be PCI compliant UNLESS they outsource the compliance. PCI compliance for any on-premises card information handling requires multiple individual staff (one IT person can't 'audit' himself) responsible for different roles.

      Honestly it all makes a lot of good sense.

      on paper, in reality you end up with clueless non technical pencil pushing rubber stampers playing golf with C level people.

      --
      Who logs in to gdm? Not I, said the duck.
    3. Re:I got stuck doing PCI compliance before .... by vux984 · · Score: 1

      Yes and no. It's a good set of requirements, if read and implemented by competent IT people looking to achieve security.

      But you are also right, if its read by a team of lawyers looking to minimally slide through, and audited by a team of lawyers looking to let you slide through those loopholes for their rubberstamped "PASS"... then yes, you end up with with a worthless rubber stamped facsimile of a secure system.

    4. Re:I got stuck doing PCI compliance before .... by vux984 · · Score: 1

      Wrong. Just wrong. You're still responsible for PCI compliance for any systems that host the site, even if the payment link is done via a redirect, iFrame, etc.

      Your PCI compliance amounts to little more than signing off that you aren't touching card data at all. And that you are using a PCI compliant party to handle it.

      Yes, you have some obligations to ensure that your site isn't pwned, and redirecting your customers to a fake payment gateway. But that doesn't require you have dedicated baremetal server running in the locked down PCI-DSS compliant wing of the data center. It requires some routine minimal security configuration and maintenance that you should be doing anyway, and it is not at all an onerous burdern.

      If you're using an API to take the card info and forward it along to the third-party payment processor, your PCI compliance responsibilities increase even more,

      Do that, and you expose yourself to full PCI compliance requirements, because now you ARE handling card data.

      This idea that you can escape all responsibility simply by not seeing the card data is a common myth that needs to die.

      Fair enough, you don't escape "ALL" responsibility, but it turns it into routine maintenance that even the smallest shops can easily comply with.

  12. If it was PCI, that was a pass (except convenience by raymorris · · Score: 2

    The PCI DSS standard explicitly allows for alternative methods of meeting the security goal, so as long as it's demonstrably secure it should pass. However, if the standard security practices aren't in place, you do have document why it's secure without the expected measures.

    If this was for PCI, the auditor may have made an error, or (likely) there was an error in communication. It would be correct to say "this is secure and therefore will pass, but since it's non-standard you'll need to send in documentation to each auditor. It may be more convenient use standard practices rather than documenting non-standard practices. "

  13. Re:If it was PCI, that was a pass (except convenie by gmack · · Score: 1

    He was from IBM and not very flexible. If he didn't like it, I had to change it and most of the changes were down to network seperation. The end result was rather solid so aside from a few 12 hour days, I have no complaints.

  14. PCI like SSL certs and tld's by future+assassin · · Score: 1

    cheap way to print money from nothing,

    --
    by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
  15. Hey FTC you should hit up security metrics by WaffleMonster · · Score: 1

    I think the FTC just hit a jackpot. For sure lots of ripe low hanging fruit to be plucked in the PCI theatre/shakedown arena.

    I've personally had issues with Security Metrics. Noticed after the fact an online purchase was conducted entirely in the clear. I contacted the "secured by" banner to complain. Responses I got back were priceless. First they said they were NOT complaint even though their own site still showed they were. When I brought this up all I got was silence followed by no action taken to correct admittedly invalid assertion of certification.

    Then months later they told me they were NOW compliant and found no vulnerabilities even though anyone buying something from the site never sees a secure page. All facts trivially confirmed with seconds of manual effort. Even when I brought it up over a series of months, being very polite giving them plenty of time to respond/correct it was like talking to a brick wall.

    Nobody cares and nobody seems to have a REASON to care.

    From PCI gods to ASAs on down everyone in the chain explicitly disclaims responsibility for their own (in)actions.

  16. PCI DSS is a mixed bag by Beryllium+Sphere(tm) · · Score: 1

    At its best it's prescriptive and incorporates some sound practices. At its worst, it's as bad as you say.

    At least one cynical person has suspected it's all just a way for the card issuers to shift liability to merchants ("Your Honor, we will show the defendant was out of compliance with the following vague language ...").

    At least it's better than HIPAA but that's setting the bar pretty low.

  17. re: open ports on firewall by King_TJ · · Score: 1

    The reason we kept getting flagged for open firewall ports is because the only connection in or out of the Internet was via that firewall and router. So any outside "penetration testing" had to test against the firewall and whatever it saw behind it.

    The rules we had configured were to allow certain ports to forward to specific servers though .... nothing related to the workstation in the office running the card processor's software. But their automated testing didn't care. It wasn't intelligent enough to know that those ports led to things like our in-house Exchange server, or ability to connect to a terminal emulation session to a Unix box running an ancient software package for sales and CRM. They just said, "point us to your IP address so we can test it" and that's the only IP we had to give them.

  18. Re: open ports on firewall by vux984 · · Score: 1

    The reason we kept getting flagged for open firewall ports is because the only connection in or out of the Internet was via that firewall and router. So any outside "penetration testing" had to test against the firewall and whatever it saw behind it.

    Yeah, I suspected this was the case after I posted.

    But that is essentially why they were "only" warnings. You get the list of open ports, and you sanity check each one.

    Imagine if you were the actual online processor handling webstores... your front facing web server is GOING to be open on the HTTPS port for communications with the various embedded iframes or whatever widget you are using for your customers.

    They'll do the pen-test and they'll flag that port open with a warning.

    You'll get the report, see that HTTPS is open, and rubberstamp it as a-ok, because you know that port is supposed to be open.

    If the report comes back with another port open, though, that will be flagged as well, and you might do a double-take, hey... that is NOT supposed to be open.

    In your case, the open ports list you know are port forwarded to legitimate services on diffrent machines, so you can disregard them. But if that warning list came in one year with a port you weren't aware of... you'd follow up, and investigate it. That is the point of the port flagging and warning... not because you can't have open ports and be in compliance, but because you should be aware of each one, what it is for, and where it goes.

  19. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion