back to article Firms still struggling with data security standard

Organisations are still struggling with data security, putting consumers at continued risk of identity theft as a result. A survey by the Ponemon Institute on the Payment Card Industry’s (PCI) Data Security Standard (DSS) found that more than half of those surveyed (55 per cent) work for businesses that only secure credit card …

COMMENTS

This topic is closed for new posts.
  1. The Jase
    FAIL

    Bah!

    "Consumers are generally more at risk with smaller businesses,"

    Its a rip-off for smaller business. You can either do the form yourself (lots of little bits and technical things, Joe the grocer will not get most of it, and would struggle), or pay someone to do it for you (a tenner at last check, but that needs to get done every year, and they will still bother you for details). If you don't, they charge you more per transaction.

    Most smaller businesses that deal with PDQ machines will only keep their copy of the transaction. Its designed for online retailers and people who store data, not the average shop.

  2. Lusty
    Badgers

    Excuses

    PCI compliance doesn't cost extra money/budget. Neither does it take longer to implement or more effort to maintain. To be PCI compliant all you have to do is follow best practices and stop being lazy with procedures and systems. I find that making companies PCI complant often makes them more efficient and reduces the budget requirements. Chances are if you're finding PCI compliance to be difficult or expensive you need either training or consultancy.

  3. Ian Michael Gumby
    FAIL

    Risk based approach?

    This is pretty much bs.

    While the bigger companies are easier targets because you get more in return for the risk of the hack, its the smaller companies that pose more of a threat because the odds are that the hack goes unnoticed and harder to trace.

    The point is that you have to have a strict standard and enforce it equally. Its the cost of doing business. I would only suggest that you have a sliding scale of the fines based on the size of the company. As to not encrypting the SS# and other significant data, its because they are used as keys to get to the data. If you want to encrypt everything, you'll need to find databases with hardware encryption support. Currently this is only possible with IBM's IDS database, and possibly DB2. It means that your indexes and tables are encrypted. Not an easy task.

    The other problem isn't just encryption but also website security. The majority of website developers borrow code from other sources (read untrusted sources) and put it in to their sites.

    This is probably more of a risk than attacking the database directly. This happens more to smaller firms that can't afford dedicated staff....

  4. Jason DePriest

    PCI compliant not that easy

    Being PCI compliant and being *certified* as PCI compliant are two completely different things.

    One is cheap and the other is quite costly.

    Who cares if you are PCI compliant if you can't tell anyone? A third-party audit is *required* to be compliant. No matter how qualified your in-house folks are and no matter how closely you are following the guidelines, you are required to pay someone to come in and tell you "yep, you're good" before you can say you are actually PCI compliant.

  5. pjnola

    PCI web site is gibberish

    For most small businesses they could just say "don't store the card number" and it would eliminate the vast majority of the risk. Instead of simple, solid advise, the PCI web site is clotted with vague jargon like "follow security best practices". PCI are their own worst enemy.

  6. Spikey
    FAIL

    Trying to secure a credit card

    Trying to secure a credit card against fraud by mandating PCI compliance is like trying to 'fix' a democrat by mandating they only watch Fox News. The problem isn't going to be solved by mitigation.

    Conceptually, the plastic credit card is not a secure item. They need to come up with a different kind of electronic payment if they want to stop the fraud. As it is, this is just putting lipstick on a pig. Or, you can wrap up this smelly fish of insecure payment technology with newspaper and call it PCI Compliance - but it still stinks!

    http://www.nypost.com/p/news/politics/obama_put_lipstick_on_pig_it_still_8FVnjnFf0J1NGjG5L7nbuI

  7. Anonymous Coward
    FAIL

    @ Lusty

    You really know how to talk bollocks don't you!

    I think I can pretty much guarantee that I could audit you and the company you work for under the current PCI-DSS standards and fail you in a heartbeat. All your arguments would be met with "That's not how we see the standard, you'll have to do it this way"

    The problem is that the standards are open to interpretation and the various PCI "auditors" vary WILDLY in how they interpret something.

    Going to stop typing now as I am likely to explode

  8. Anonymous Coward
    Anonymous Coward

    Sounds like a scam.

    It doesn't make any sense, it doesn't ensure security. What are they doing nowadays asking toddlers how to secure systems?

    It is a crazy world, but PCI probably actually works more in favour for those seeking unauthorised access, than those with legitimate access. but then a lot of security products are that way.

  9. David Eddleman
    FAIL

    PCI is crap.

    "PCI compliance doesn't cost extra money/budget. Neither does it take longer to implement or more effort to maintain. To be PCI compliant all you have to do is follow best practices and stop being lazy with procedures and systems."

    You've absolutely never ever done it before, have you? Next time you decide to talk shit, take a deep breath and pull your head out of your ass.

    You have to pay a firm to become PCI compliant. And if you handle your website through a hosting company, they may have to make you compliant if you don't have an in-house team that can handle it. It becomes especially tricky if your site is being managed through a control panel, since there are tons of businesses that have them since there are TONS of tech-illiterate folks out there. And the hosting company will charge fees (likely) and take time.

    Ask me how I know this. Go ahead, ask me. I used to work at a webhost, I've seen this far too often.

    They go beyond "best practices". They check all kinds of asinine stuff. For example, if you run the Plesk CP, which listens on port 8443 (and uses a completely different HTTP daemon for the CP as compared to the one for serving web content, lighttpd vs. Apache), and the port is open, they'll detect an open port that has poor encryption even though it has 0 relevance to your site, and flunk you. And different firms will have different regulations. One of the customers at my last job had a firm that would give them things to fix every day, refusing to certify them until he finally told them enough was enough, certify or I go to the prosecutors. Some barely do anything, and will certify you on a whim.

    PCI/DSS is utter garbage and does nothing to fix the problem.

  10. rorschach
    WTF?

    Re:PCI is crap

    @David Eddleman

    While I am not the standards biggest fan, I have to question what you said about Plesk CP.

    As I understand Plesk to work, it would not matter that it is running on a different daemon. It provides significant (complete?) control of the website and therefore is a security risk. If it were compromised it would be a serious threat to the site's security. How you can conclude this has 0 relevance to a site is beyond me.

    Appropriate controls should be put on any administrative function. This includes, amongst other things, using strong ciphers, restricting public access and/or using two factor authentication.

This topic is closed for new posts.