PCI DSS Legitimizes Conflicts of Interest

July 11, 2009 by ADMIN
Share |

By Rachel James, Author and Cybercrime Authority at ID Experts

In a recent report by Wired Magazine it was revealed that Savvis Inc- the company which performed audits for CardSystems during 2004 when they experienced one of the largest credit card data breaches for it’s time- is being “pulled into court in a novel suit that legal experts say could force increased scrutiny on largely self-regulated credit card security practices.”

Savvis is accused of certifying that payment systems were compliant with security standards, (PCI DSS) when they were not.

Due to the recent rash of breaches by companies that were supposedly compliant with payment industry security standards, the PCI Council said last year that it was tightening its oversight of auditors.

These auditors are in charge of ensuring that a company’s methods of processing payments and transmitting information are up to industry standards.

However- Heartland Payment Systems and RBS WorldPay, two processors that recently experienced large breaches, were certified compliant before they were breached.

I see many problems associated with this audit system as it stands today, highlighted in part by the article:

  • Listing standards to become complaint is poor security practice. Good information security comes from adapting, expecting and meeting new threats. By the time new standards are drafted and approved as part of compliance, the threats may have already done damage.
  • 3 people on full time staff are in charge of the auditor certification program. How much are these auditors scrutinized?
  • Difficulty understanding complex standards creates difficulties for organizations desiring to install or update components to their systems
  • 80 percent of the audits in the payment industry are conducted by a dozen major vendors. As the article pointed out, “the rules and requirements for auditors reveal a number of potential conflicts of interest (.pdf) that could arise between an auditor and the entity it’s assessing. For example, many security auditors also make security products. The rules state that a security company will not use its status as auditor to market its products to companies it audits, but if the auditor should happen to find that the client would benefit from its product, it must also tell the client about competing products.”
  • A recent study reveals that 20% of IT security managers and technical staff from enterprises and government departments admit to cheating on security audits or knowing of a colleague that did. An even larger percentage “cut corners” resulting in potential holes in audits or security compromises
  • Problems are getting worse as companies slash budgets. Staffing issues, substandard or used equipment which may or may not be infected with viruses, and time constraints are all symptomatic of the economic pressure on this industry

It is important to realize that standards and procedures are wonderful tools, necessary to implement any security process or program.

However, a chain is only as strong as the weakest link. In this case, the links are made of people, and it only takes one lie or misrepresentation to create millions of dollars in loss.

Rachel James is an author and cybercrime authority at ID Experts. Prior to studying computer forensics and cybercrime investigations at Utica College, Rachel attended Portland State University with honors, majoring in Sociology. Former money laundering investigator and analyst for a major national bank, Rachel specializes in compliance and risk. Operating under the semi-official title of “Head Twit” for the ID Experts Twitter account, she finds creative ways to combine her joy of investigations with her desire to protect privacy.

ID Experts provides data breach solutions, risk assessment, forensic investigation and fully managed victim identity restoration to corporations, financial institutions, healthcare organizations and government agencies. As a leader in data breach prevention and remediation, the company has managed hundreds of data breach events, protects millions of individuals from identity theft and authored the Identity Crime Victim’s Bill of Rights. ID Experts is actively involved with industry organizations including ANSI/Identity Theft Prevention and Identity Management Standards Panel, International Association of Privacy Professionals, Internet Security Alliance, and the Santa Fe Group.

*   *   *

Stay Informed With ISR News Feeds and Email Alerts Here: 

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • TwitThis
  • LinkedIn
  • Google Bookmarks
  • Digg
  • StumbleUpon
  • YahooBuzz
  • del.icio.us
  • Wikio
  • Propeller
  • Facebook
  • MySpace
Share |


Filed under: Breach, Class Action Lawsuit, D&O Liability, FEATURE ARTICLE, Financial, Government, IDExperts, ISR News, Insider Threat, PCI, PCI Security Standards Council, Rachel James, Sarbanes-Oxley, Uncategorized, due diligence, hackers, identity-theft, malware, national security, privacy 

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Comments

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!