Slashdot Mirror

← Back to Stories (view on slashdot.org)

FTC Demands Info From PCI Auditors On Breached Companies' Compliance

Posted by timothy on from the show-me-on-the-doll dept.

Trailrunner7 writes: The Federal Trade Commission has sent an order to nine of the larger companies that do PCI DSS assessments, demanding that the organizations turn over detailed information on how they conduct those audits, how often they actually declare a company non-compliant, and many other details. The FTC on Monday said it has sent orders to nine of these companies, including Mandiant, PricewaterhouseCoopers, and Verizon Enterprise Solutions, requiring that they provide details of how they handle those assessments. Specifically, the FTC is very interested in how many companies were deemed PCI compliant in the year before they suffered a data breach. Many companies that have been victims of data breaches over the years have touted the fact that they were PCI compliant at the time of their breaches. This has not escaped the FTC's notice

13 of 101 comments (clear)

  1. joek by blackomegax · · Score: 2

    PCI compliance is a joke anyway. 100% security theater.

    1. Re: joek by Anonymous Coward · · Score: 3, Funny

      Yeah,and PCI express is much faster anyway.

    2. Re:joek by Anonymous Coward · · Score: 3, Insightful

      I had a retail company that ran credit cards. We had to "'pass" an "audit" yearly. Took $99 to pass, simple as that. They supposedly did "auto" testing on the IP address for our store. Which was a dynamic IP address to start with and was not static. Small ma-n-pa retail shop. So while they had an IP address when I first logged into their website, they continued testing that one IP address after it had changed dozens of times and still continue to test that old Comcast IP address even though the store now runs through a different provider...

      It's a joke and a scam

    3. Re:joek by Anonymous Coward · · Score: 2, Funny

      I'm a PCI qualified security assessor for a smaller firm

      I'm a prince from Nigeria too! We should meet up for coffee sometime and discuss our strategies. You seem to be flying under some sort of legal banner that makes it easier for you to take money from unsuspecting people. I'd like to learn how you do this.

    4. Re:joek by TechyImmigrant · · Score: 2, Insightful

      They failed my wife's company web site for PCI compliance, not because it wasn't PCI compliant, but they hit the honey pot (advertising an old version of mysql) I installed to create filter block lists for the intrusion filtering. So I pre-filtered the pointless PCI scanning service and the problem went away.

      The PCI-DSS specs are written by incompetents. They exude incompetence. The documents seem to encourage an understanding that as long as you write down a bunch of procedures, your computers will be secure.

      PCI-DSS is responsible for the ease of committing payment card fraud, by occupying the space that could otherwise be occupied by a comptent organization taking effective steps to improve the security of payment mechanisms.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    5. Re:joek by Acid-Duck · · Score: 2

      Since no one else did yet and you seem to be oblivious to this fact, allow me to be the first to say so:

      While PCI audits aren't perfect, people like you are the bigger problem. You're too god damned lazy to read (and probably too stupid) to understand or even act on the feedback provided by the report so instead you cheat to pass the test.

      One of the most confusing aspects of PCI audits for noobs like yourself is the fact that applications installed using package managers (as opposed to compiled from source) will often have inferior version numbers, despite the fact they're still safe since security patches are back-ported.

  2. Commie fascism! by fuzzyfuzzyfungus · · Score: 2, Funny

    How dare the dead hand of state interference meddle with an industry that has gone to all the trouble of developing a ceremonial 'self regulation' procedure?

    1. Re:Commie fascism! by rsborg · · Score: 2

      How dare the dead hand of state interference meddle with an industry that has gone to all the trouble of developing a ceremonial 'self regulation' procedure?

      Because the invisible hand is very good at stealing from us?

      --
      Make sure everyone's vote counts: Verified Voting
  3. Pay to win. by BrookHarty · · Score: 2

    If the compliance company won't help you pass, they wont be in business long. Compliance companies want customers to pass, so they get hired again and not black listed.

    This is why nobody is failing.

  4. Yeah! by sotweed · · Score: 2

    Great idea for the FTC to do this, and very appropriate. The breach business is getting out of hand.

    Unfortunately, in a situation like this, it is common, if not habitual, for organizations to be compliant with
    the standard, or the government rules, and rest there. Those standards, such as PCI in this case, should be
    regarded as the minimum they have to do, not the maximum.

  5. We'll help you fix things to pass. We're audited by raymorris · · Score: 2

    We'll "help you pass", and help you be more secure, by telling you where some of your vulnerabilities are and giving you pointers on how to fix them.

    The PCI DSS company is itself audited. The company I work for is preparing for our annual audit right now and we're improving our scanning in order to pass the test. Those improvements are improvements in how well we scan our customers.

  6. If it was PCI, that was a pass (except convenience by raymorris · · Score: 2

    The PCI DSS standard explicitly allows for alternative methods of meeting the security goal, so as long as it's demonstrably secure it should pass. However, if the standard security practices aren't in place, you do have document why it's secure without the expected measures.

    If this was for PCI, the auditor may have made an error, or (likely) there was an error in communication. It would be correct to say "this is secure and therefore will pass, but since it's non-standard you'll need to send in documentation to each auditor. It may be more convenient use standard practices rather than documenting non-standard practices. "

  7. Re:I got stuck doing PCI compliance before .... by vux984 · · Score: 3, Informative

    A small family owned business can't be PCI compliant UNLESS they outsource the compliance. PCI compliance for any on-premises card information handling requires multiple individual staff (one IT person can't 'audit' himself) responsible for different roles.

    Honestly it all makes a lot of good sense.

    Once you switch to an external card processor, life gets pretty simple. PCI compliance is on them not you. For example, an online business with a webstore, the staff never have to touch card information, so you are compliant as long as your procedures stipulate that you don't.

    For a more retail place, bring in a payment terminal, and its pretty much plug and play.

    As soon as you start entering card numbers into your own computer, then you have to start taking steps to ensure the computers aren't pwned. Virus installed and up to date, firewalled, secure network, etc. But if you don't want to deal with it, don't enter card information into your computers, and just use a payment terminal.

    And I believe one of their demands was that "any computer connecting to the card processing site had to be isolated from the rest of the local network". That was, IMO, overkill and created as many security issues as it solved

    In a mom and pop, it's probably all of them anyway, and the one LAN server they talk to is PART of their local area network. (Think larger businesses, where one department might handle cards but another doesn't. The computers from the other department shouldn't be on the same lan. All the computers should still be able to talk to your WSUS server though.

    Sufficient segregation can be achieved with VLANs and a router. It's not that they aren't allowed to talk to your WSUS server, its that the 30 workstations in marketing can't talk to them. Then you just have to audit your server for PCI compliance but allows you to ignore those 30 marketing PCs for PCI compliance.

    and I wanted some kind of way to do remote administration or maintenance on these boxes,

    A typical VPN setup should have been fine, especially if you restricted the inbound ip ranges.

    You definitely made the right choice using an external processor; you probably could have gotten through without fudging (and your network would have been genuinely slightly more secure if you'd done something along the lines of what i outlined.)

    (I remember them always flagging a "warning" because our firewall allowed connections through ports necessary for regular business operations.

    I'm not sure what this would be. Why would your firewall have wide open public facing to systems that were handling card data?