[Owasp-ireland] Potential of 4.2 million credit card details stolen via cyber attack.

David Ryan dave.ryan at gmail.com
Tue Mar 25 07:13:18 EDT 2008

Dealing in absolutes is an error. There is no "secure". There are security
controls and depending on what, how, where, when, why, if, biff, bam, and
boom they are implemented and managed their effect is a quasi-linear
progression along the cost-versus-hardcore axis where they intersect at the
"good enough for us at this moment in time" point. Compliance may equate to
"good enough" security controls, but suggesting there is a final resting
point for IT expenditure on all things security is folly.

PCI has gone through a round of improvements and perhaps it will continue to
do so in the future. Whilst I don't have a history of other safety standard
from our recent industrialised history, I imagine there are comparable
observations to be made. Cars did not start off with airbags and they still
don't prevent people from killing each other on country roads or on
overpriced toll roads.

As for the PCIDSS being ambiguous, I agree. However, I think this is perhaps
a necessary quality: Not all companies are equal. I would suggest that
VISA/Mastercard/AMEX/etc wanted to establish a baseline for their own
"insurance" purposes (imho and used here as a loose term).  Does it raise
the proverbial bar? In my experience, it probably has done for some clients
I've worked with and maybe not for others, but again this is an example of
the underlying intention functioning (imho). Another example is
BS7799/ISO17799 certification. No doubt any future attempts to provide a
super-compliance-standard will end up with ambiguity too.  The point is that
the organisation must interpret the "ambiguity" to suit their needs and
explain why they have interpreted it as such to the auditor and, where
applicable, compliance body.  The aim could be to provide the least amount
of ambiguity as possible, but being overly prescriptive would perhaps be
more prone to failure when issues such as capabilities, economics and other
factors are considered.

As for who is to blame? I'm sure they both have insurance ... *if* no
personal data was lost, is this such a big issue? (from a consumers

On 25/03/2008, davidrook <david.rook at realexpayments.com> wrote:
> I think this is another example of PCI compliance being just that - a
> compliance standard. Being compliant (as is demonstrated here and with
> TJX) does not always equate to being secure.
> PCI is ambiguous and it could be improved to try and make companies both
> secure and compliant. As for who is to blame, is it not a case of 6 of
> one and half a dozen of the other?
> Dave
> Eoin wrote:
> > Maybe a bit slow on this one but I'd thought I'd share it
> >
> > A PCI compliant company was compromised and an estimate of 4.2 million
> > cc numbers were obtained.
> > The issue arises that the company were PCI compliant and now the blame
> > game has ensued. The PCI assessors are being blamed, there is mention
> > of ambiguity regarding the PCI standard, where to apply some of the
> > technical controls etc..
> >
> > http://www.theregister.co.uk/2008/03/18/hannaford_data_breach/
> >
> >
> > http://www.hannaford.com/Contents/News_Events/News/News.shtml
> >
> >
> >
> http://www.merchantcircle.com/blogs/Pre-Paid.Legal.Services.Inc.-.Ind.Associate.786-390-0581/2008/3/4.2-million-account-numbers-stolen-at-Hannaford-Bros.-Co./70643
> > --
> > Eoin Keary OWASP - Ireland
> > http://www.owasp.org/local/ireland.html
> > http://www.owasp.org/index.php/OWASP_Code_Review_Project
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Owasp-ireland mailing list
> > Owasp-ireland at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-ireland
> >
> --
> David Rook | david.rook at realexpayments.com
> Information Security Analyst
> Realex Payments
> Enabling thousands of businesses to sell online.
> Realex Payments, Dublin, www.realexpayments.com
> Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
> Tel: +353 (0)1 2808 559 Fax: +353 (0)1 2808 538
> Realex Payments, London, www.realexpayments.co.uk
> 1 Hammersmith Grove, London W6 0NB, England
> Tel: +44 (0)203 178 5370 Fax: +44 (0)207 691 7264
> Pay and Shop Limited, trading as Realex Payments has its registered office
> at Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland and is
> registered in Ireland, company number 324929.
> This mail and any documents attached are classified as confidential and
> are intended for use by the addressee(s) only unless otherwise
> indicated. If you are not an intended recipient of this email, you must
> not use, disclose, copy, distribute or retain this message or any part
> of it. If you have received this email in error, please notify us
> immediately and delete all copies of this email from your computer
> system(s).
> --
> _______________________________________________
> Owasp-ireland mailing list
> Owasp-ireland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-ireland
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20080325/3dc8b7f8/attachment.html 

More information about the Owasp-ireland mailing list