Comments on: Verizon Data Breach Investigation: The numbers say PCI IS important http://www.mckeay.net/2009/04/15/verizon-data-breach-investigation-the-numbers-say-pci-is-important/ The views of one man on security, privacy and anything else that catches his attention Thu, 29 Jul 2010 22:22:29 +0000 hourly 1 http://wordpress.org/?v=abc By: RateNerd http://www.mckeay.net/2009/04/15/verizon-data-breach-investigation-the-numbers-say-pci-is-important/comment-page-1/#comment-4583 RateNerd Mon, 27 Apr 2009 13:29:44 +0000 http://www.mckeay.net/2009/04/15/verizon-data-breach-investigation-the-numbers-say-pci-is-important/#comment-4583 The rate of CC theft is really alarming - to the point that you can get CC numbers for as little as $0.06 according to Symantic's report on the black market. I did an ROI calculation and even at that price it is still tempting for fraud - http://ratenerd.com/black-market-prices-for-stolen-credit-card-identity-theft-1080 The rate of CC theft is really alarming – to the point that you can get CC numbers for as little as $0.06 according to Symantic’s report on the black market. I did an ROI calculation and even at that price it is still tempting for fraud – http://ratenerd.com/black-market-prices-for-stolen-credit-card-identity-theft-1080

]]> By: idblackbox http://www.mckeay.net/2009/04/15/verizon-data-breach-investigation-the-numbers-say-pci-is-important/comment-page-1/#comment-4525 idblackbox Wed, 22 Apr 2009 03:41:25 +0000 http://www.mckeay.net/2009/04/15/verizon-data-breach-investigation-the-numbers-say-pci-is-important/#comment-4525 You should have been on the phone with my client when I told her that the company she was using to process credit cards was not on the list of Validated Payment Applications! She went into this long spiel of how she doesn't want to switch because she likes the payment application company and blah blah blah. One of the biggest challenges I see for most of these companies that are not on board yet is to get them to change their thought process. Standards, policies and procedures are all fine and good, but when not many company employees buy into it as a whole, it will be struggle for the entire process. If everyone could envision the idea of, "I scratch your back, you scratch mine", maybe they would realize, I should treat sensitive data in my company as I would want another company's employees to treat mine :) You should have been on the phone with my client when I told her that the company she was using to process credit cards was not on the list of Validated Payment Applications! She went into this long spiel of how she doesn’t want to switch because she likes the payment application company and blah blah blah.

One of the biggest challenges I see for most of these companies that are not on board yet is to get them to change their thought process. Standards, policies and procedures are all fine and good, but when not many company employees buy into it as a whole, it will be struggle for the entire process.

If everyone could envision the idea of, “I scratch your back, you scratch mine”, maybe they would realize, I should treat sensitive data in my company as I would want another company’s employees to treat mine :)

]]> By: Network Security Blog » Friday morning reading, 04/17/09 http://www.mckeay.net/2009/04/15/verizon-data-breach-investigation-the-numbers-say-pci-is-important/comment-page-1/#comment-4501 Network Security Blog » Friday morning reading, 04/17/09 Fri, 17 Apr 2009 12:52:18 +0000 http://www.mckeay.net/2009/04/15/verizon-data-breach-investigation-the-numbers-say-pci-is-important/#comment-4501 [...] knew about the 2009 Data Breach Investigation by Verizon, but did you know they’re having a roadshow in support of the [...] [...] knew about the 2009 Data Breach Investigation by Verizon, but did you know they’re having a roadshow in support of the [...]

]]> By: Interesting Information Security Bits for 04/15/2009 | Infosec Ramblings http://www.mckeay.net/2009/04/15/verizon-data-breach-investigation-the-numbers-say-pci-is-important/comment-page-1/#comment-4491 Interesting Information Security Bits for 04/15/2009 | Infosec Ramblings Wed, 15 Apr 2009 21:22:40 +0000 http://www.mckeay.net/2009/04/15/verizon-data-breach-investigation-the-numbers-say-pci-is-important/#comment-4491 [...] first pass at the PCI specific portions of the Verizon report. Network Security Blog >> Verizon Data Breach Investigation: The numbers say PCI IS important Tags: ( reports [...] [...] first pass at the PCI specific portions of the Verizon report. Network Security Blog >> Verizon Data Breach Investigation: The numbers say PCI IS important Tags: ( reports [...]

]]> By: Alex http://www.mckeay.net/2009/04/15/verizon-data-breach-investigation-the-numbers-say-pci-is-important/comment-page-1/#comment-4489 Alex Wed, 15 Apr 2009 15:25:45 +0000 http://www.mckeay.net/2009/04/15/verizon-data-breach-investigation-the-numbers-say-pci-is-important/#comment-4489 It's worth noting that the data set represents a mix of merchants from all levels. It’s worth noting that the data set represents a mix of merchants from all levels.

]]> By: LonerVamp http://www.mckeay.net/2009/04/15/verizon-data-breach-investigation-the-numbers-say-pci-is-important/comment-page-1/#comment-4488 LonerVamp Wed, 15 Apr 2009 15:05:32 +0000 http://www.mckeay.net/2009/04/15/verizon-data-breach-investigation-the-numbers-say-pci-is-important/#comment-4488 Disclaimer: Have yet to read the report. But my opinion on PCI being relevant is that PCI is infinitely defensible and will always be relevant and never be a problem. It's like a best practices approach. If someone is breached, PCI can infinitely say it's not their fault, but rather the entity at the time was non-compliant, or a QSA did a bad review, or whatnot. I'm not passionately against PCI by any means (I think it's valuable!), but I tend to be realistic with how deftly they're able to position themselves to never be at fault but always be relevant...no matter what happens. Disclaimer: Have yet to read the report.

But my opinion on PCI being relevant is that PCI is infinitely defensible and will always be relevant and never be a problem.

It’s like a best practices approach. If someone is breached, PCI can infinitely say it’s not their fault, but rather the entity at the time was non-compliant, or a QSA did a bad review, or whatnot.

I’m not passionately against PCI by any means (I think it’s valuable!), but I tend to be realistic with how deftly they’re able to position themselves to never be at fault but always be relevant…no matter what happens.

]]>