Friday, December 4, 2009

Ending the PCI Blame Game



A typical day. Russians were yet again selling fresh batches of stolen payment card data in closed hacker forums, and our initial undercover buys indicate that there was a significant breach. I knew what was going to happen next, and there was nothing that I or anyone else could do to stop it. No warning was possible. There was going to be another slow, painful train wreck--of that there was no question.

With our subsequent undercover buys of stolen cards, the involved issuer identifies the victim of the breach and notifies the card associations who eventually confront the victim. Disbelief. Shock. Panic. Lawyers--lots of lawyers. Outside attorneys. Estimates are made of the number of cards compromised--a meaningless figure that will later be prominently displayed in news headlines. PCI certification records are waved about. The victim's assessor is notified. Accusations. Finally, the victim is obligated to go public with the bad news. Their stock plunges as their customers jump ship. Game over. computerworld

No comments:

Post a Comment