Monday, July 27, 2009

Another Claimed "0wned While Compliant" Case ... NOT!

So, another card data theft (only 500,000 cards this time, not a biggy :-)), another chance for some folks to scream "PCI didn't save me!"

In particular, the paper has this quote:

"Wade added that Network Solutions is compliant with the Payment Card Industries (PCI) Data Security Standards, but did not immediately know when the last compliance assessment was conducted."
Stop ... right ... here! This is "delusions of compliance" case, a very clear-cut. Even without ever seeing her environment, I can guess that:
  • She has absolutely no idea whether they are compliant at this time or at the time of the breach!
  • She can hope that they were indeed compliant with all the necessary requirements whenever they were validated (not sure QSA or SAQ)
  • She can hope that they were in compliance at the time of the breach, but I bet a bottle of bad vodka that they were in fact NOT!
Please save us from another round of "PCI didn't save us, thus it is bad!" Think for a second before you spout it...

Dr Anton Chuvakin