jump to navigation

FTC to Audit PCI Industry March 9, 2016

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , , , , ,

ftc_logo_430(UPDATED) I have been in the PCI “industry” since before it was an industry.  I was fortunate to have worked with Visa in 2001 on a team that helped design the CISP requirements for Service providers and subsequently worked at MasterCard a major processor and numerous QSA firms.  I can claim (along with 2 or 3 other people) to be the FIRST assessor even before we were QDSPs then QSAs. I was the PCI SSC’s global QSA trainer and Visa’s CISP trainer.  There probably only 10 people in the industry that have been doing “PCI” type work as long as I have.  Unfortunately, we lost two of those fine folks in the last several years.  One of the most frustrating aspects of being in the PCI assessment business has been competing with the “pay and stamp” assessors.  PCI is complex and conducting a solid PCI assessment is complex and not trivial. There have always been the “bottom feeders” that will guarantee a compliant finding for a nominal  fixed price fee.  For those companies that do solid work (while I compete with them I am also friends with many and can respect their work as much as my own employers) we often find ourselves on the losing end of a bid when someone agrees to assess a Fortune 100 company for a Fixed fee of $40K.  Well..the Federal Trade Commission has taken notice!

The FTC has issued an order to 9 QSA firms to assess (pun intended) how they assess companies against the PCI DSS and how their business is structured. The 9 companies listed are:

Foresite MSP, LLC; Freed Maxick CPAs, P.C.; GuidePoint Security, LLC; Mandiant; NDB LLP; PricewaterhouseCoopers LLP; SecurityMetrics; Sword and Shield Enterprise Security, Inc.; and Verizon Enterprise Solutions (also known as CyberTrust).

Here is my beef with that list.  The one company (to remain un-named for fear of a lawsuit..but we all know who it is)..that has had 7 or so of the largest credit card breaches in history as it’s clients is not listed.  3 of the companies are ‘newbys’ and 3 are very well known and respected companies.  They should have asked for “Chris’ list” 😉

After reading the order it is clear the FTC has done their homework and knows the answers they expect to get.  This is not simply smoke and mirrors.  They are asking questions related to:

  1. The bidding process for QSA work
  2. Cost structure of PCI assessment work
  3. Time associated with the average assessment
  4. number of companies found ‘non compliant’
  5. Whether a company is found ‘compliant’ BEFORE completing all work.
  6. Sampling methodology (this is a gotcha because the required methodology is outlined in the training)
  7. Qualifications

They are then asking for a sample ROC to be provided.  I cannot applaud the FTC enough for taking this step.  It is well past time that we get the “pay and stamp” providers  out of the industry! Read the Order Here!

Chris Mark speaking on PCI at a Business Process Outsourcing (BPO) event 2013 June 29, 2014

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , ,

I was privileged to be able to speak at an AT&T BPO event in 2013.  In Feb 2014 AT&T Marketing published the videos.  I found one but was unaware they had published all 3. I hope you enjoy. (remember…the camera adds 10 lbs! 😉

Chris Mark in AT&T Network Exchange Blog February 20, 2014

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , ,
add a comment

NetworkExchangeAs the AT&T PCI National Practice Director, I write and blog on numerous topics that I hope are of interest to those who have to protect data.  Aside from the GlobalRiskInfo blog here I also publish some blog posts on the AT&T Network Exchange Blog.  Please take a spin through.  Also, there are a very large number of great writers on the AT&T Network Exchange Blog.  Take some time and look through the other authors…

“This is the American Express Fraud Department” – Two Dozen Carders Arrested on 4 Continents June 26, 2012

Posted by Chris Mark in cybersecurity, Industry News.
Tags: , , , , , , , , , ,
1 comment so far

Lnight my wife received an email about a suspcious transaction on our Amex card.  Turns out it was a fraudulent transaction and my wife’s card had been stolen.  I was writing a blog post on this very subject when a Google alert informs me of this article on Foxnews.  “Two Dozen Arrested in Online Financial Fraud Sting”.  According to the article:  “Two dozen people on four continents have been arrested in an elaborate sting  targeting a black market for online financial fraud, federal officials in New  York said Tuesday.

U.S. officials called the crackdown in United States, Europe, Asia and  Australia the largest enforcement effort ever against hackers who steal credit  card, bank and other information on the Internet — a practice known as  “carding.”   The officials claimed the two-year FBI sting protected more than 400,000  potential victims and prevented losses of around $205 million.”

On that note, I recommend that you take a look at the book “Fatal System Error”…gives very good insight into the underworld of Carding.

%d bloggers like this: