Why the FTC may be Involving Itself in PCI

Posted by Casey Lang on Apr 22, 2016 6:52:57 PM


In catching up on some reading from last month I noticed an interesting article about the FTC taking a hard look at the effectiveness of the PCI Data Security Standard (PCI-DSS) and assessor audit processes. Although I disagree with some of the assertions of the post, especially the statement that the PCI Data Security Standard is only a “core set of 12 basic requirements”, I do agree that the involvement and interest of the FTC in PCI assessment processes, methodologies, and practices is worth discussing.


So, why is the FTC involving itself? I believe the intent of this involvement could be two-fold: to push harder on assessor companies to move away from inadequate scoping and validation during PCI assessments, or the FTC has decided it should serve as a representative for the people involved in payment card breaches. 


Read More

Topics: PCI

Does Passing a PCI Audit Guarantee Effective Operational Security?

Posted by Eric Noonan on Feb 10, 2016 11:43:29 AM

Erics_Hyatt_PCI_Blog_Post.jpgYou may have heard about the  recent breach involving payment card data from cards used onsite at certain Hyatt-managed locations.  According to Dark Reading, the "at-risk window" may have existed as early as July 30, 2015, with identified fraud being documented from August 13, 2015 to December 8, 2015. The malware responsible captured cardholder data while being transferred from the onsite processing location to the compromised system.

Post breach, Chuck Floyd, global president of operations for Hyatt, said "...we want to assure customers that we took steps to strengthen the security of our systems in order to help prevent this from happening in the future.” While we can't know for sure that statement implies that operational security controls were enhanced as a result of the breach, the question is, beyond the routine PCI-DSS assessments, were operational controls proactively reviewed and strengthened?

Read More

Topics: Security Assessment, PCI