I’ve heard a couple of times in recent weeks, figures bandied about, supposedly from the Acquiring Banks talking about the levels of PCI compliance. (I say supposedly because I don’t want to assert something that may not be right, but the sources aren’t too bad!)

Figures as high as 90% of self-assessments (as defined for Tier 2 and below) are coming back (supposedly), 100% ticked off. …… Now I ask; 90% all compliant or 90% not all compliant yet? Did I hear right? Sure did.

Now these figures fly in the face of what we’re seeing out there, so the question needs to be asked – are we only seeing clients that by chance fall into that 10% and not any of the other 90% or does something sound wrong here?

The PCI DSS is not overly complex but it is certainly full of grey areas in terms of depth of compliance and most importantly, what’s in and what’s out of scope. Moreover, it is setting minimum security requirements and controls far ahead of almost anything else that has been thrown at the private sector.

Every client we’ve had that has seriously looked at their levels of compliance vs the PCI DSS standard has had to, to some degree make plans for some changes to their environment – most acknowledging that compliance will be a longer term project for them – resourcing and financial burden needing to be phased.

So what’s the other 90% doing? Keen to share that secret guys? It will be interesting to see what an audit would turn up in the event of an incident…..but then again, will it matter that much if Company X is only a Tier 3? Seriously though, some questions need to be asked if that figure of 90% is accurate.


Posted in: PCI, PCI DSS

I read in the News press this morning that the US Government is warning of a “possible” al-Qaeda “computer attack on US financial websites” (Daily Telegraph, 2nd December, 2006 and http://www.news.com.au/story/0,10117,20852774-1702,00.html?from=public_rss).

The story goes on to report that an attack could come at anytime, though Homeland Security (US) is quoted as saying that this statement is not based on any evidence for it to be corroborated but, and get this, they have issued the warning out of an “abundance of caution”. Further, that the threat was present all this month.

I trust someone has told al-Qaeda that Christmas day is also not allowed. (The day after Christmas should also be out of the equation because I really don’t want to miss the start of the Boxing Day test against the English). Now if we can only make it through to December 31, we can put our feet back up and praise the lord that we have people like Homeland security looking after us all (at least in the US, but we do know they have the world’s interest at heart also so that makes me feel all warm inside).

Now I don’t know what’s scarier – that they actually are onto something now and this is the response (i.e.; the warning to the banks) or the fact that they actually believe this current intelligence is announcing something in the pipeline that differs to what actually is going on every day out there in the real-world. Now’s there’s plenty I could say in response to some of these points, but the broader issue at hand is a belief that to date, little or nothing has already happened…..of course it hasn’t otherwise we’d know about it, right?

Sadly, this more often than not, this is the belief out there. We (SA) see it everyday. We hear about it from our colleagues in the industry and the issues they face in their roles trying to get their organizations to understand the threats out there, are real. As an insurance policy, just in case those security zealots could be onto something, you’ll get the following from those in position of supposed accountability; “ignorance is bliss as they say and if I don’t show a focus on staying abreast of something like this security stuff, then surely when the stuff hits the fan, no one can blame me. Hell, I’ll even be a hero in the eyes of the board when I react with all guns blazing should something happen to us!” Sounds familiar doesn’t it? Surely with all of the recent corporate disasters, things are better? Hmmmmm……….

We do many presentations on cyber threats. They generally follow along similar lines in terms of response from attendees. By the end of the presentations, we believe, in most cases, we have made an impact, and hopefully a difference. But from the start, we’re generally on the defensive – having to justify that what we are talking about is real and not just a load of hype to sell security services. We do the usual old clichéd news grabs “Company X Hacked – 3 Billion Credit Card Accounts Stolen!” that are met with the usual response that either; “that this can’t happen to us or that such things happen so infrequently that really, how big is the actual risk? ….I mean, how often really do you hear about such things?”

What generally grabs them at this stage is when we outline why exactly we include these news clippings in our presentations. We include them because they’re real named companies but the real reason is that we don’t and won’t talk about the results of work we do for our clients – the message being that we’ll show you what is public knowledge and then we’ll discuss in generic terms/not mentioning company names of how common such problems can be. While the perception is that such events are infrequent, it’s only because they’re not reported that the belief exists that such events are rare. They’re not…..we see this stuff every day! We see it because we demonstrate how it can be done, and if we’ve been able to demonstrate the likelihood, then we have demonstrated that the threat is real. And that is the attention grabber.

Now here’s where it gets even scarier. If we’ve been able to confirm a huge security exposure, and if company X systems and network have been in current state for Y period of time, how does the company know that nothing has happened in the past, or continues to happen? So, you’re assuming now that we’re engaged further by company X to perform some investigations to attempt to confirm potential activity by bad guys? If only! Truth of the matter is that less than 5% of companies based upon our experience will follow through with such a course of action. The majority choose to try to fix the problem and pray that nothing comes back to bite them. But this story is for another day. The point I am trying to make here is that things are happening all the time and just because they’re not being reported doesn’t mean it’s not happening. Just because organizations don’t notice an impact doesn’t mean their systems are not owned. The bad guys don’t want glory in the press – they’re working with a purpose and the success of their work is based upon not being caught.

And if you think that certain business types/sectors are okay because you assume they’d have to be okay given the type of business they are…..it isn’t what we are seeing out there. Most of the time, it’s pretty scary out there……but who’d believe us? We’re just a bunch of over-reacting security geeks protecting our own jobs aren’t we?


PS. It wasn’t that long ago that a large multi-national found an al-Qaeda training manual on one of their public facing FTP servers. No one knows how long it had been there. It never made the press. It was picked up by fluke chance and nothing else.