Ending the PCI Blame Game
Turiss CEO Phil Mellinger, former CISO of First Data, expresses concern over the costly infighting over financial responsibility for breaches and proposes five constructive steps
By Phil Mellinger, CEO, Turiss
December 03, 2009 — CSO —
Fallout from the PCI Blame Game
A typical day. Russians were yet again selling fresh batches of stolen payment card data in closed hacker forums, and our initial undercover buys indicate that there was a significant breach. I knew what was going to happen next, and there was nothing that I or anyone else could do to stop it. No warning was possible. There was going to be another slow, painful train wreck—of that there was no question.
With our subsequent undercover buys of stolen cards, the involved issuer identifies the victim of the breach and notifies the card associations who eventually confront the victim. Disbelief. Shock. Panic. Lawyers—lots of lawyers. Outside attorneys. Estimates are made of the number of cards compromised—a meaningless figure that will later be prominently displayed in news headlines. PCI certification records are waved about. The victim's assessor is notified. Accusations. Finally, the victim is obligated to go public with the bad news. Their stock plunges as their customers jump ship. Game over.
Also see Heartland CEO on Data Breach: QSAs Let Us Down
As if being breached wasn't bad enough, the victim would now endure an endless stream of investigators, lawyers, and reporters that, in the end, would do little to prevent the situation from reoccurring elsewhere.
One by one, card industry players will be forced through this gauntlet: the PCI blame game. "It's your fault—you weren't diligent." "No, it's the PCI assessor's fault—they said we were compliant." "No, the associations certified the PCI assessor—it's their fault." The PCI assessor is summarily de-certified and placed on probation. The breach victim sues their assessor. The legal battle broadens as lawsuits pile up—everyone wants a piece of the victim. The associations fine the victim, who sells what remains of their business to scavengers. In nearly all cases, the victim had tried its best to interpret and follow the complexity of PCI rules, and yet they are always the one blamed.
Payment industry resources must be refocused to fight those responsible for breaches. Worse than the PCI blame game, few now comprehend the scope of the problem: The payment card industry is today trying to stop attackers that may be beyond the capabilities of available security solutions. The bad guys have jumped to warp speed.
The third wave is upon us.
The Third Wave: From Payment Cards to National Security
We are now several years into the brunt of the third cyber-attack wave. It began on a small scale but gathered speed quickly, its ferocity unanticipated.
How to efficiently manage security compliance with PCI DSS and other laws and regulations
PCI's application security requirements
PCI post-audit pain points
PCI shrugged: Debunking the criticisms
The art of the compensating control
SAS 70 myths
SSAE - replacement for SAS 70 coming
A directory of security-related regs, laws, and guidelines
- Secure Cloud Infrastructure and Next-Generation Data Centers - An Interactive Panel for Decision Makers
- Gartner Next Generation Network IPS Webcast
- Understand Your Data: The Future of Backup and Archiving
- McAfee Continuous Compliance
- Balancing Increasing Security Requirements with Decreasing Budgets
- Say "Yes" to iPads While Keeping Your Confidential Data Safe
- It was bad of Anonymous to make good on threat to attack Boston PD
Anonymous has taken another opportunity to be useful to the security community and wasted it on another fruitless attack. This time the Boston Police Department website is the victim.
- Overdrive spam campaign targets banks
- VeriSign hit by hackers
More Salted Hash with Bill Brenner
