So What? Does the Hannaford breach infer PCI is a waste?

This question has been on my mind for a few weeks, and I wanted to stir the pot a bit.

Hannaford was PCI compliant at the time of the breach, so what does this really mean?

Should a company spend millions up front, when it was documented that even though they were compliant, they had to spend millions more after the fact?

What does that say about the standard itself?

What fines are going to be handed out? Is proving PCI Compliance the 'Get out of Jail Free' card and so no fines will be doled out?

If I am a company, and have followed this one, why spend the money on getting PCI compliant when it appears that even if I am, the only downside is no fines. And if the fines are less than the remediation PLUS the compliance process, what's the value to me as a business of getting compliant, vs taking out an insurance policy for $300/record at risk?

Thoughts?

pcistuff @ gmail.com

NRF Show - See You There!!!

I will be headed to Manhattan this weekend to attend the NRF show at the Javits Center in NYC. I will be in booth #1475 talking about things PCI. Please stop by when/if you can. I always enjoy meeting folks who read my PCIStuff Blog, My Identitystuff blog or my virtualizationstuff blog.

Is PCI a Scam?

I had to ask myself this question after two years working with clients to help solve their PCI issues and seeing only a handful of fines being handed out to the poster children of a breach. Here is why I pose the question...

If I am an issuer of cards, why is it good business to bite the hand that feeds me in levying fines against those organizations who provide me revenue? Is the revenue that gets generated more fraudulent than legitimate so it is in my best interest to shut down the source of the fraud? If there was that much fraud because of the identity theft that is associated with fraud, isn't there anything else that the issuaing card companies can do besides hand out fines. It just seems like it is adding insult to injury.

If I am a level 2, 3, or 4 merchant, and I look at what it will cost me to get compliant both in terms of technology and access to expertise to implement a solution, why wouldn't I roll the dice and wait to be shut down, especially if the cost of compliance puts me out of business? I will say for the record that the level 2,3, and 4 merchants are the most at risk for a breach because of their restricted access to capital and expertise and that ability to pay for it, so they are in a no-win situation, are they not?

If I look at what the core of the issue is, it is the databases used to store data. So why not lock down, encrypt, and render virtually inaccessible the records in said databases and leave it at that? Why not simply say that IF you store data (not a great idea but I know organizations do it), be sure it is encrypted all the way down to the cell level. It won't matter if I can get access to the database and copy it since it will be rendered useless unless I have access to some serious computing power.

Can't the card companies incent Oracle, Microsoft, etc. to ship the encryption with their databases out of the box to make this happen?

Ouch!!! TJX Bank gets Whacked

This was what we've all been waiting for (ok maybe it's just most of us) - how the Ecosystem of a Breach affected by said breach?

In this case the Bank was hit with an $880,000 fine, $500,000 of which was the 'You knuckleheads' portion, and the other $380,000 went to the 'WTF are you serious, you can't be that stupid?' portion IMHO.

I wonder if anyone has contacted Bob West who was at Fifth Third and responsible for Security prior to the breach and then left to start Echelon One consulting. Scott Blake is another guy I know over there from Liberty Mutual Insurance and was formerly their CISO so hopefully this experience has given them something to research and help others with.

Stay tuned for more coverage...


By Ross Kerber, Globe Staff | October 29, 2007

Visa USA issued $880,000 in penalties against a bank that processed transactions for TJX Cos., after an investigation of a computer hacking incident at the retailer.

The figure is described in court filings that recently have painted a clearer picture of the consequences for TJX of Framingham after its data network was breached by an unknown intruder operating through last year.

TJX, the parent of such stores as TJ Maxx and Marshalls, faces claims from banks that reissued cards in the wake of the breach that it failed to maintain adequate computer security.

At the same time, TJX struck back in its own recent filing, denying the main allegations and faulting banks for failing to press for tougher card-security standards, mirroring complaints by other retailers.

"The compromise presents a substantial risk to Visa and its members," states a June 22 letter from Visa, marked "highly confidential." The letter, now an exhibit in the case, is signed by a vice president of Visa, the biggest payment card network, and written to Fifth Third Bank in Cincinnati, which is also being sued. Both the letter and the TJX response were made public late Friday on the electronic docket system for Federal District Court in Boston.

In another filing the same day, a Visa security official stated the incident amounted to "the largest data breach in the payment card industry," at least double the size of any in the past. Last week a filing put the number of affected accounts at more than 94 million, according to card networks, twice the figure of at least 45.7 million TJX had given in the past. Ninety-five percent of those numbers had expired by the time the breach was discovered late last year, TJX has said.

A Visa spokesman yesterday said he could n't immediately comment. A spokesman for Fifth Third did not return messages yesterday afternoon.

TJX spokeswoman Sherry Lang said the fines are being appealed and noted TJX's own filing on Friday that denies wrongdoing. Among other things, it states that the plaintiffs themselves were at fault because as members of the Visa and MasterCard networks they failed to press them to implement security measures such as computer chips and personal identification numbers to reduce fraud. Any losses would be offset by credit card profits, the filing states. It also notes a judge has dismissed a negligence claim in the case.

Card companies have struggled to increase the focus on security standards among banks and merchants.

On Friday, Lang said the company now complies with the data security standards.

Visa can levy fines when merchants don't meet the rules, but they generally are imposed on the banks that process transactions. Fifth Third could potentially pass the fine onto TJX.

According to the Visa official's letter, the investigation found Fifth Third itself wasn't following certain security rules that the bank and its merchants must meet.

The fine was determined in two parts. First, Visa assessed what it called an "egregious fine" of $500,000, "due to the seriousness of this security incident and the impact on the Visa system."

In addition, Visa levied fines totaling $380,000, retroactive to October 2006, for what it called "TJX's failure to cease storing prohibited data" by Sept. 30, 2006. This apparently is a reference to stored customer credit card numbers that were later compromised in the intrusion.

Ross Kerber can be reached at kerber@globe.com.

PCI Compliance as a Service

I recently came back to work at one of my former stomping grounds to develop and implement a PCI Compliance as a service to support our existing E Commerce customers and to assemble the components to offer PCI Compliance as a service to new customers, focusing on Level 2, Level 3, and Level 4 organizations.

The offering is two phases:

PCI Readiness audit

Because I am not a QSA, I will come in and perform a 5 day audit of your existing systems and report the results back to you. Only you. From this activity will come a full tactical remediation plan that can be implemented in your data centers or mine (I have 16 around the world). In many cases in 30 days or less, before you incur another monthly fine.

Remediation

The Tactical Remediation Plan (TRP) outlines a project plan, based on current state and identified gaps, that gets implemented in one of two ways – on your premises or mine.

The execution on your premises is the same as what I have done in ours – which is to deploy a set of technologies to support a fully audited and proactively enforced process and enviroment. I have a relationship with QSAs who know what I can deliver and will certify the solution and the environment at the end of the deployment.

The components of the solution will require an investment of hardware, software, and services to provide knowledge transfer at the low end to full remote management, Executive dashboards for real time reporting, and other complimentary services you can choose based on resource expertise and availability.

The second option is to spin up an environment in one of my SAS-70 Type II data centers and provision the technologies to cover the requirements of PCI that are not covered by the SAS-70 audits. I will give you the SAS-70 audit results to hand off to your auditors as part of the package whether the systems are affected by PCI or not. Same technologies and processes, and I bring the networking, application, and compliance expertise to the table on an ongoing basis. There are also SLA’s, and additional services that I will bring to bear if the need is there. I will do as much or as little as you need.

This second option has been the most popular for two key reasons – it is paid for as an operating expense, so there is no capital expense investment and it stays off balance sheet. The second is that the expertise acquisition required to deliver a solution is cost prohibitive for most Level 3 and 4 organizations, so this is a financially viable option for leaner shops being able to tap into a broad knowledge and resource base. It is a single monthly number for infrastructure, services, and auditing, including the on-site QSA certification in my data centers. Fixed costs.

A third reason people want to talk to me is that although they may be a Level 2, 3 or 4, they want to play at a Level 1 operation to strengthen their relationships with customers, and be proactive about mitigating risks, and being a Level 1 because of a breach.

The costs vary based on how non-compliant you are and what your infrastructure looks like. If I can help, and save you money in fines or operations I will spell out how much. If I can’t I’ll let you know sooner rather than later so we can both pursue other avenues.

Send an email to pcistuff@gmail.com to learn more or to discuss your situation.