Sunday, September 27, 2009

PCI Compliance Could Have Stopped Gonzalez

Speaking of PCI Compliance, I've been Tracking this Gonzalez guy and I came accross this very interesting article by David Taylor over at --enjoy.

Call me a contrarian (or a Visa suck up), but I actually believe that the PCI DSS controls, implemented in an “above average” way, could have stopped the Gonzalez-led criminal masterminds from breaking into a company. Not all companies, but a company with above average security. Allow me to explain before you get too ticked off at me.

 Recently, Evan Schuman wrote a piece on the Gonzalez breaches, where he quoted a security specialist who argued that these breaches constituted evidence of the failure of the PCI data security standards. (She even kept score: Hackers, 12; PCI, 0. I guess 12 is a winning score in some game with which I’m not familiar.) Anyway, I’m no apologist for PCI, as anyone who has read my columns or our research in the PCI Knowledge Base knows. But I think that position is wrong because it lays all the blame on the standards and ignores the responsibilities of the merchants. Here are the arguments for my position:

•Who Didn’t Get Breached?

Since Albert Gonzalez has now agreed to plead guilty to what is clearly the largest data theft conspiracy to date (that we know about), we now know the names of virtually all the companies that Gonzalez and his cohorts stole from. What we don’t know are the names of the companies the criminals did not gain access to, and why. The conspirators (according to the indictment) started with a list of Fortune 500 companies.

No comments:

Post a Comment