OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: reporting a web site breach

From: Email Cash (and.email.cashgmail.com)
Date: Fri Oct 17 2008 - 14:04:27 CDT

A reporter friend of mine says he contacted Jason. He went after Chase
bank for putting their login prompt on the non-https homepage, and
they had https up within a week. Hopefully he can do something here,
too.

On 10/16/08, Jason Ross <algorythmgmail.com> wrote:
> On Thu, Oct 16, 2008 at 7:46 PM, David Glosser <david.glossergmail.com> wrote:
> >
> > But beyond the "contact us" page, I didn't see any information on the
> > pcisecuritystandards web site.
> > Aren't they just a standards organization?
> >
>
>
> Yes. As they define themselves:
>
> "PCI SSC is the standards body that maintains the payment card
> industry standards, including the PCI DSS and PA-DSS."
> (from the Audit Procedures guide (PDF):
> http://selfservice.talisma.com/display/2n/kb/article.aspx?aid=5767&var=1)
>
> A couple of other relevant quotes from the PCI (found by submitting
> the question of whom to contact about violations, they display a
> "before you submit this, are any of these links helpful" list. I'm
> unsure what the connection between the PCI site and the server/domain
> these questions are hosted at is, but the PCI site linked to these so
> I view them as 'official', YMMV. Note to, I've formatted the text. The
> initial text was all jumbled together making it tough to read. Click
> the links if you wish to see them in their original horribleness ;-)
>
> "What are the consequences to my business if I do not comply with the PCI DSS?
>
> The PCI Security Standards Council encourages all businesses that
> store payment account data to comply with the PCI DSS to help lower
> their brand and financial risks associated with account payment data
> compromises. The PCI Security Standards Council does not manage
> compliance programs and does not impose any consequences for
> non-compliance.
>
> Individual payment brands, however, may have their own compliance
> initiatives, including financial or operational consequences to
> certain businesses that are not compliant. "
> - http://selfservice.talisma.com/display/2n/kb/article.aspx?aid=5319&var=1
>
>
> "What are the fines and penalties assessed to companies for
> non-compliance with the PCI DSS?
> Any fines and/or penalties associated with non-compliance with the PCI
> DSS and/or confirmed security breaches are defined by each of the
> payment card brands.
>
> For more specific information, please contact the individual payment
> card brands.
> For a better understanding of roles and responsibilities, please refer to:
>
> American Express - DSOP http://www.americanexpress.com/datasecurity
> Email: American.Express.Data.Securityaexp.com
> Discover - DISC
> http://www.discovernetwork.com/resources/data/data_security.html
> Email: askdatasecuritydiscoverfinancial.com
> JCB - TBD http://www.jcb-global.com/english/pci/index.html Email:
> riskmanagementjcbati.com
> MasterCard – Site Data Protection (SDP) http://www.mastercard.com/sdp
> Email: sdpmastercard.com
> Visa - Account Information Security (AIS) & Cardholder Information
> Security Program (CISP)
> Visa AIS - Asia Pacific
> http://www.visa-asia.com/ap/sea/merchants/riskmgmt/ais.shtml
> Visa AIS - Canada www.visa.ca/ais
> Visa AIS - Central Europe, Middle East, & Africa
> http://www.visacemea.com/ac/ais/data_security.jsp Email:
> CemeaAISvisa.com
> Visa AIS - Europe http://www.visaeurope.com/aboutvisa/security/ais
> Email: datasecuritystandardsvisa.com
> Visa AIS - Latin America & Caribbean www.visalatam.com/ais Email:
> aislacvisa.com
> Visa CISP - United States http://www.visa.com/cisp Email: cispvisa.com. "
> - http://selfservice.talisma.com/display/2n/kb/article.aspx?aid=5376&var=1
>
>
> So, in other words, as a few have already stated, contacting the PCI
> SSC for violations is unlikely to be helpful, and contacting the
> individual card brand is encouraged.
>
> --
>
> Jason
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------