Visa/PCI fine challenged

When you have general news to share - put it HERE (If it's tech related please put in the tech news zone)

Visa/PCI fine challenged

Postby rapier57 » Fri Oct 04, 2013 5:45 pm

This is an interesting case:

http://www.mainjustice.com/2013/10/03/g ... penalties/

We've all known that Visa's penalties are punitive and arbitrary since PCI was first introduced. Granted, the PCI DSS holds a number of best practices up, but also perpetuates lazy approaches to checkbox security. Still, from the start, I've called the PCI a super-agency that breaks national and territorial boundaries and imposes completely arbitrary regulations and penalties that bypass due process and local authority.

Cheers to Genesco for trying. Hope they win.
Last edited by rapier57 on Sat Oct 05, 2013 7:52 am, edited 1 time in total.
Rapier57.

Jayne: Testing. Testing. Captain, can you hear me?
Mal: I'm standing right here.
Jayne: You're coming through good and loud.
Mal: 'Cause I'm standing right here.


@rapier57
User avatar
rapier57
I've posted HOW many
 
Posts: 3113
Joined: Thu Mar 02, 2006 10:43 pm
Location: Spokane, WA USA

Re: Visa/PCI fine challenged

Postby Aspman » Fri Oct 04, 2013 7:23 pm

Ooooh interesting.

When I get a minute (hahahahah) I need to read up on PCI V3 that's just about to drop

PCI is a racket anyway.
"Man will never be free until the last king is strangled with the entrails of the last priest."
- Denis Diderot (1713-1784)
User avatar
Aspman
Frustrated Mad Scientist
 
Posts: 8872
Joined: Mon Jan 09, 2006 10:07 am
Location: Scotland

Re: Visa/PCI fine challenged

Postby rapier57 » Sat Oct 05, 2013 5:52 pm

While the PCI DSS was a good idea, in theory, it has never lived up to the potential in practice. Basically, it imposes another layer of regulation (not required by government or industry, but by arbitrary third party) that must be added on. The regulation does have its good points, but in practice and implementation it becomes another checklist that must be run. Also, expensive audits and tests are required to prove compliance.

Still, breaches happen and they happen to organizations who are "PCI DSS Compliant" and maintained their expensive status through audits and tests.

Depending on your organization's home country, PCI DSS is just one of many regulatory requirements. None of them work as intended and none of them guarantee you won't experience a breach. They do guarantee that if a breach occurs, you will be held up to international ridicule, will suffer immense financial penalties and lose business as partnerships dissolve and participants distance themselves from your organization.

The only thing you can be assured of is that you have already been breached, the bad guys have been in your system for a long time, and when you discover the breach you just see the tip of the iceberg.

Your best defense and solution is well-trained and loyal information technology and information security staff who take an active role in the organization's efforts to maintain security throughout. They also lead the charge in developing and implementing sound, workable internal information security policy and practices. This includes:

    Maintaining the skills and abilities of the IT/IS staff
    Security practices and awareness must be universal--including the C-suite (this means no special users)
    Equipment and systems must be patched, maintained and monitored
    Questionable practices and behaviors must be fairly called out and no retribution allowed
    Development best practices must be strictly adhered to (such as no testing on production data and no developer access to production data or environments)
    Test and development systems must be maintained in the same way as production
    Test and development systems must be separate and firewalled from production with no convenience ports
    Secure coding must be taught, practiced and adhered to throughout the development and test process
    If a language or coding package cannot meet secure coding practice, get rid of it and move to one that can
    You must have an active, practiced and well-thought-out incident response plan

This isn't a list of things I think are important. They are things that would have prevented large, public, expensive and embarassing breaches in the recent past.

The Adobe breach just underscores the fact that most companies give IS lip service, put your individual financial and personal data at risk and just really don't give a crap.

OK, I'm done.
Rapier57.

Jayne: Testing. Testing. Captain, can you hear me?
Mal: I'm standing right here.
Jayne: You're coming through good and loud.
Mal: 'Cause I'm standing right here.


@rapier57
User avatar
rapier57
I've posted HOW many
 
Posts: 3113
Joined: Thu Mar 02, 2006 10:43 pm
Location: Spokane, WA USA

Re: Visa/PCI fine challenged

Postby Aspman » Sat Oct 26, 2013 7:30 pm

Compliance = transfer of risk and liability

90% of the time.
"Man will never be free until the last king is strangled with the entrails of the last priest."
- Denis Diderot (1713-1784)
User avatar
Aspman
Frustrated Mad Scientist
 
Posts: 8872
Joined: Mon Jan 09, 2006 10:07 am
Location: Scotland


Return to News Room

Who is online

Users browsing this forum: No registered users and 2 guests