Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Security

FTC Demands Info From PCI Auditors On Breached Companies' Compliance 101

Trailrunner7 writes: The Federal Trade Commission has sent an order to nine of the larger companies that do PCI DSS assessments, demanding that the organizations turn over detailed information on how they conduct those audits, how often they actually declare a company non-compliant, and many other details. The FTC on Monday said it has sent orders to nine of these companies, including Mandiant, PricewaterhouseCoopers, and Verizon Enterprise Solutions, requiring that they provide details of how they handle those assessments. Specifically, the FTC is very interested in how many companies were deemed PCI compliant in the year before they suffered a data breach. Many companies that have been victims of data breaches over the years have touted the fact that they were PCI compliant at the time of their breaches. This has not escaped the FTC's notice
This discussion has been archived. No new comments can be posted.

FTC Demands Info From PCI Auditors On Breached Companies' Compliance

Comments Filter:
  • by blackomegax ( 807080 ) on Tuesday March 08, 2016 @04:22PM (#51661149) Journal
    PCI compliance is a joke anyway. 100% security theater.
    • Re: joek (Score:3, Funny)

      by Anonymous Coward

      Yeah,and PCI express is much faster anyway.

    • by Anonymous Coward

      PCI compliance is a joke anyway. 100% security theater.

      I'm a PCI qualified security assessor for a smaller firm, not one of the ones that was included in the above list. For one thing, compliance is not necessarily the same thing as security. And while there are some subrequirements of questionable effectiveness, none of them would qualify as 'security theater'. If I had to level a criticism on the entire system, it's this: The rigor of testing from firm to firm, and willingness to interpret requirements in ways that are beneficial to lazy sysadmins varies grea

      • Re: (Score:2, Funny)

        by Anonymous Coward

        I'm a PCI qualified security assessor for a smaller firm

        I'm a prince from Nigeria too! We should meet up for coffee sometime and discuss our strategies. You seem to be flying under some sort of legal banner that makes it easier for you to take money from unsuspecting people. I'd like to learn how you do this.

      • PCI compliance is a joke anyway. 100% security theater.

        I'm a PCI qualified security assessor for a smaller firm, not one of the ones that was included in the above list. For one thing, compliance is not necessarily the same thing as security. And while there are some subrequirements of questionable effectiveness, none of them would qualify as 'security theater'. If I had to level a criticism on the entire system, it's this: The rigor of testing from firm to firm, and willingness to interpret requirements in ways that are beneficial to lazy sysadmins varies greatly. When assessor firms are trying to win contracts, they may not leave enough hours to sufficiently test an environment, so they cut corners and miss things. Companies that don't see eye to eye with their QSAs (for example, we break the news that a very expensive configuration is not compliant) will ditch them, and shop for someone who will agree with them. This isn't allowed, but I haven't heard much in the way of enforcement.

        To the article's point, what both assessed companies and the FTC need to understand is that assessments are a point in time. They may have recently gotten a clean report on compliance, but they probably still were not PCI compliant at the time of breach. And just because you're PCI compliant doesn't mean that you won't get breached. Like any other compliance measure, it is simply the cost of entry to be a standard-bearer of major card brands.

        What you didn't mention is that the companies are being subject to blackmail. Pay $100 and get a PCI stamp of approval, or pay a higher per-transaction credit card fee. How this is not illegal is beyond me.

    • by tnk1 ( 899206 )

      Speaking as someone who has been in charge of PCI compliance (it was v2, not v3) for a small company, I disagree, but I understand why you would think so.

      Many of the PCI requirements are simply common sense. You'd want to run your security that way anyway.

      There are a few provisions of the PCI DSS where security people could have an honest disagreement with the actual requirements. In those cases, you could present compensating controls which mitigate the issues, which would make it harder for you to convi

      • by Anonymous Coward

        As I posted anonymously above, big companies can buy and bully their way into PCI compliance.

        Small companies can't literally afford to take it as a joke. At the company I worked for, we had enough money budgeted for one PCI audit. If we failed the audit then our company would be out of business. Two people including myself were hired because we didn't have enough personnel to have any hope of passing.

        As a result you see breaches at large companies who have clearly shopped around for the most useless auditor

      • by KitFox ( 712780 )

        A different consideration can be summed up in the idea that PCI Compliance makes a company "impossible to be hacked" in the same sense that being an "important and secure government agency" makes the FBI "impossible to be hacked". A frequent view is that PCI DSS means nothing at all because even fully-compliant companies can be hacked.

        The middle ground is the concept that PCI Compliance just makes the company less likely to be breached and the recognition that common sense isn't all that common (despite t

        • by sconeu ( 64226 )

          My read:

          PCI compliance makes you less likely to be breached -- but you still can be breached.
          PCI compliance mitigates the damage caused by said breach -- but you're still responsible.

          • by tnk1 ( 899206 )

            PCI compliance is merely showing that you have done a due diligence and audited check of your security against (mostly) sound security principles.

            Reality is... PCI can't stop all attacks. Not much can, truth be told, unless you're an NSA level operator, and even they suffered an Edward Snowden. The proper process and security program can stop some of the attacks and mitigate the damage of successful attacks.

            In terms of legal liability, IANAL so it is hard to say what effect it will have, but it could redu

      • by Anonymous Coward

        Auditors are easily suppressed or evaded. I had an auditor once who asked excellent questions and was able to piece together a lot despite lots of obfuscation. A call to his boss and he got back in line. Despite 12 months of CC numbers with CCV and expiry being stored in a plaintext file on the server, no negative findings. This is for a backend gateway, not a merchant (ie you'd expect the rules to apply even more). PCI-DSS is an absolute lie. It exists for the purpose of insurance and marketing. It is true

        • by tnk1 ( 899206 )

          I think what you're saying is a serious problem with the enforcement system, and I know companies do this.

          I do want to be careful though. One place I worked, they said that PCI was a joke for the reasons that you stated, but I know they said that just because they couldn't be arsed to do PCI for real and knew we wouldn't be able to skate by.

          So, it is important to differentiate the actual process of having audits and standards with how those audits are run. I agree that we need a new process for enforcemen

    • I've been alerted to vulnerabilities on an Internet-facing host after being scanned for PCI compliance. I found the notifications useful and informative.
    • by Bert64 ( 520050 )

      Just because you are compliant, does not mean you're secure.
      That said, PCI compliance is an obstacle to business and most of the PCI accreditors are not very technically minded so a lot of companies blag their way through by misleading their QSA...

  • This could get interesting. It always bugged me a bit that you’re paying a company (you’re their client) to give you a stamp of approval, and the only thing you need to avoid a bunch of liability is that stamp of approval. Doesn’t seem like there’s any disincentive to them to just pass you if you give them enough money. Maybe they fail you, you pay a bunch of hush^Wconsulting money for them to help you get compliant, then they pass you.

    There’s definitely a lot of good things

    • This could get interesting. It always bugged me a bit that you’re paying a company (you’re their client) to give you a stamp of approval, and the only thing you need to avoid a bunch of liability is that stamp of approval. Doesn’t seem like there’s any disincentive to them to just pass you if you give them enough money. Maybe they fail you, you pay a bunch of hush^Wconsulting money for them to help you get compliant, then they pass you.

      There’s definitely a lot of good things in PCI-DSS, but there’s a difference between getting a bunch of checkmarks on a list versus actually incorporating the security recommendations into your development cycle and systems design.

      The financial crisis was made possible by a willful negligence on the part of ratings agencies and big banks who paid to have their financial instruments rated.

      The Enron crisis had the same hallmarks.

      This shit is still going on in a lot of places. Glad to see the FTC putting it's teeth into some of it.

  • by fuzzyfuzzyfungus ( 1223518 ) on Tuesday March 08, 2016 @04:26PM (#51661173) Journal
    How dare the dead hand of state interference meddle with an industry that has gone to all the trouble of developing a ceremonial 'self regulation' procedure?
    • by rsborg ( 111459 )

      How dare the dead hand of state interference meddle with an industry that has gone to all the trouble of developing a ceremonial 'self regulation' procedure?

      Because the invisible hand is very good at stealing from us?

  • by BrookHarty ( 9119 ) on Tuesday March 08, 2016 @04:28PM (#51661189) Homepage Journal

    If the compliance company won't help you pass, they wont be in business long. Compliance companies want customers to pass, so they get hired again and not black listed.

    This is why nobody is failing.

    • We'll "help you pass", and help you be more secure, by telling you where some of your vulnerabilities are and giving you pointers on how to fix them.

      The PCI DSS company is itself audited. The company I work for is preparing for our annual audit right now and we're improving our scanning in order to pass the test. Those improvements are improvements in how well we scan our customers.

      • by gmack ( 197796 )

        This is how it was for the company I worked for a few years ago. The auditor walked in said "it's secure but it doesn't meet the standard" and I had to spend the next 3 days reworking my network setup in order to pass.

        • The PCI DSS standard explicitly allows for alternative methods of meeting the security goal, so as long as it's demonstrably secure it should pass. However, if the standard security practices aren't in place, you do have document why it's secure without the expected measures.

          If this was for PCI, the auditor may have made an error, or (likely) there was an error in communication. It would be correct to say "this is secure and therefore will pass, but since it's non-standard you'll need to send in documen

          • by gmack ( 197796 )

            He was from IBM and not very flexible. If he didn't like it, I had to change it and most of the changes were down to network seperation. The end result was rather solid so aside from a few 12 hour days, I have no complaints.

    • by tnk1 ( 899206 )

      Well, they can't just walk in there, tell you that you fail, and walk out. I mean, you *could* do that, but you don't want a standard to immediately put you out of business if you have a flawed, but good faith effort to comply. PCI is not about hitting a target and nothing else. You want an auditor to work with you to get you back into shape.

      Of course, you're probably suggesting that the "help" isn't from improvements, but rather from gaming the system. In that sense, it is possible for that to happen.

    • If the compliance company won't help you pass, they wont be in business long. Compliance companies want customers to pass, so they get hired again and not black listed.

      This is why nobody is failing.

      Wanna know a surefire way to short-circuit that bullshit from happening? Hold the asshats "helping" you pass legally liable for the systems they certify as compliant.

      I know that will likely never happen, and we'll continue this political ass-kissing game of validation by palm grease.

      In light of that, what needs to happen is companies that suffer massive breaches stand up and sue the living shit out of the org that certified them as compliant.

  • by sotweed ( 118223 ) on Tuesday March 08, 2016 @04:32PM (#51661217)

    Great idea for the FTC to do this, and very appropriate. The breach business is getting out of hand.

    Unfortunately, in a situation like this, it is common, if not habitual, for organizations to be compliant with
    the standard, or the government rules, and rest there. Those standards, such as PCI in this case, should be
    regarded as the minimum they have to do, not the maximum.

  • Any idea what "PCI DSS assessments" means? Don't utilize that new fangled thing called a hyperlink to let anyone know.

    • by SeaFox ( 739806 )

      This is the Information Superhighway 2.0, where everything is toll roads. You're supposed to go "Hey Google, what's a PCI DSS assessment?" to your smartphone instead of using that archaic mouse to click a link to an actual authority of the topic.

    • its probably things like this: http://csrc.nist.gov/publicati... [nist.gov]
      = determining needed password length based on assumption of using 300 baud modem connection to the server etc

  • At a previous job (small "family owned" business), they really didn't even handle credit cards very often. But every once in a while, they'd get the walk-in or phone in customer who wanted to pay with one. As the only I.T. guy on staff, I was tossed the mandate to "do the PCI compliance thing, since our bank says we need to start doing it".

    I had to do kind of a crash course in it (while they signed us up with a company who would certify us "compliant" after I jumped through all of their hoops).

    It's been a

    • by vux984 ( 928602 ) on Tuesday March 08, 2016 @05:55PM (#51661925)

      A small family owned business can't be PCI compliant UNLESS they outsource the compliance. PCI compliance for any on-premises card information handling requires multiple individual staff (one IT person can't 'audit' himself) responsible for different roles.

      Honestly it all makes a lot of good sense.

      Once you switch to an external card processor, life gets pretty simple. PCI compliance is on them not you. For example, an online business with a webstore, the staff never have to touch card information, so you are compliant as long as your procedures stipulate that you don't.

      For a more retail place, bring in a payment terminal, and its pretty much plug and play.

      As soon as you start entering card numbers into your own computer, then you have to start taking steps to ensure the computers aren't pwned. Virus installed and up to date, firewalled, secure network, etc. But if you don't want to deal with it, don't enter card information into your computers, and just use a payment terminal.

      And I believe one of their demands was that "any computer connecting to the card processing site had to be isolated from the rest of the local network". That was, IMO, overkill and created as many security issues as it solved

      In a mom and pop, it's probably all of them anyway, and the one LAN server they talk to is PART of their local area network. (Think larger businesses, where one department might handle cards but another doesn't. The computers from the other department shouldn't be on the same lan. All the computers should still be able to talk to your WSUS server though.

      Sufficient segregation can be achieved with VLANs and a router. It's not that they aren't allowed to talk to your WSUS server, its that the 30 workstations in marketing can't talk to them. Then you just have to audit your server for PCI compliance but allows you to ignore those 30 marketing PCs for PCI compliance.

      and I wanted some kind of way to do remote administration or maintenance on these boxes,

      A typical VPN setup should have been fine, especially if you restricted the inbound ip ranges.

      You definitely made the right choice using an external processor; you probably could have gotten through without fudging (and your network would have been genuinely slightly more secure if you'd done something along the lines of what i outlined.)

      (I remember them always flagging a "warning" because our firewall allowed connections through ports necessary for regular business operations.

      I'm not sure what this would be. Why would your firewall have wide open public facing to systems that were handling card data?

      • A small family owned business can't be PCI compliant UNLESS they outsource the compliance. PCI compliance for any on-premises card information handling requires multiple individual staff (one IT person can't 'audit' himself) responsible for different roles.

        Honestly it all makes a lot of good sense.

        on paper, in reality you end up with clueless non technical pencil pushing rubber stampers playing golf with C level people.

        • by vux984 ( 928602 )

          Yes and no. It's a good set of requirements, if read and implemented by competent IT people looking to achieve security.

          But you are also right, if its read by a team of lawyers looking to minimally slide through, and audited by a team of lawyers looking to let you slide through those loopholes for their rubberstamped "PASS"... then yes, you end up with with a worthless rubber stamped facsimile of a secure system.

      • The reason we kept getting flagged for open firewall ports is because the only connection in or out of the Internet was via that firewall and router. So any outside "penetration testing" had to test against the firewall and whatever it saw behind it.

        The rules we had configured were to allow certain ports to forward to specific servers though .... nothing related to the workstation in the office running the card processor's software. But their automated testing didn't care. It wasn't intelligent enough to k

        • by vux984 ( 928602 )

          The reason we kept getting flagged for open firewall ports is because the only connection in or out of the Internet was via that firewall and router. So any outside "penetration testing" had to test against the firewall and whatever it saw behind it.

          Yeah, I suspected this was the case after I posted.

          But that is essentially why they were "only" warnings. You get the list of open ports, and you sanity check each one.

          Imagine if you were the actual online processor handling webstores... your front facing web server is GOING to be open on the HTTPS port for communications with the various embedded iframes or whatever widget you are using for your customers.

          They'll do the pen-test and they'll flag that port open with a warning.

          You'll get the report, see that

  • cheap way to print money from nothing,

  • I think the FTC just hit a jackpot. For sure lots of ripe low hanging fruit to be plucked in the PCI theatre/shakedown arena.

    I've personally had issues with Security Metrics. Noticed after the fact an online purchase was conducted entirely in the clear. I contacted the "secured by" banner to complain. Responses I got back were priceless. First they said they were NOT complaint even though their own site still showed they were. When I brought this up all I got was silence followed by no action taken to

  • PCI-DSS is nothing more than a risk transfer mechanism to move any potential liability and risk from the payment card issuers/processors to the merchants. Funny in this entire thread on this topic very little is said about risk management. This is very similar to the FISMA debacle in the Federal government. You have the scorecard mentality and 100% focus on getting greens on your scorecard for those security controls that are scored. If it isn't a scored metric then scant attention is paid to the mis

The most difficult thing in the world is to know how to do a thing and to watch someone else doing it wrong, without commenting. -- T.H. White

Working...