Friday, June 24, 2005

CardSystems Breach Follow-up

Anyone looking for additional details on the CardSystems Solutions intrusion may find Bruce Schneier's blog good reading. He notes that CardSystems was apparently not in compliance with Payment Card Industry (PCI) security guidelines, although on National Public Radio CardSystems' CEO said his company was in compliance. Phil Hollows has written multiple blog entries on the breach, one which correctly points out that compliance with an audit does not equal security.

1 comment:

Keydet89 said...

Compliance != security

Well, it's about time someone said it!

As I've commented in this blog before, I've run into the same thing before. I've sat down before 40 page questionnaires, wondering why, by the end, nothing has led the company I work for to be more secure. I've marveled at the basic lack of IT knowledge (and dare I say it, professional integrity) of auditors who come on-site to evaluate our security...IT and otherwise.

I've been astonished how reports are 'sanitized' for fear of upsetting the CEO or CFO of an organization.

Current legislation has no teeth. Many of the audits going on these days are not leading to improvements in the security of the business processes at all.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com