A major data breach was announced this week, with Hannaford Brothers grocery chain disclosing a large loss of protected credit card information. Details are sketchy and in some cases conflicting. But, the discussion online has raised some interesting questions about PCI. Rich Mogull, former Gartner Security analyst and blogger at securosis.com, takes a look at what might have happened and asks the question is PCI worthless. Both discussions are worth checking out – the first as an exploration of the actual breach and whether PCI helped and the second as a more in-depth look at whether PCI is improving things or just consuming resources. Avivah Litan and John Pescatore at Gartner have also weighed in with implications for enterprises.

I also talked to Ted Keniston, one of our Professional Services compliance gurus and a PCI Qualified Security Assessor (QSA). He recommended a few recent blog postings and sites to check out when keeping up with the regs:

PCI Blog- Compliance Demystified as the leading reference site.

These three postings at PCI DSS News and Information cover these ten PCI myths:

10. PCI only applies to my e-commerce transactions.
9. Non-profits like charities are exempt from PCI
8. Outsourcing my card processing makes me PCI compliant.
7. I use a PABP application/service provider, so I’m PCI compliant.
6. A card association would never fine a college or university!
5. PCI compliance is an IT project.
4. PCI is inflexible with unreasonable technical, security, and business requirements.
3. PCI requires me to hire a QSA.
2. The card industry requires me to keep cardholder data.
1. I’ve completed my Self-Assessment Questionnaire, so I’m compliant.

In response to a question from today’s webcast, here is a link to a PDF version of the Final Rule on “Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003″

We had a few specific questions which we posed to Erik Petersen, VP of Professional Services:

Q: Do you have any recommendations on where we can find guidelines/policies that we may be missing from Question B.
A: I’d go back to the FFIEC information security handbook

Q: Does ACH risk seem to have any higher emphasis in this exam than in the past?
A: Nothing would lead us to believe that it is more or less emphasized – although NACHA is called out specifically under the vendor management section.

Q: Does the questionnaire specifically address integrated logging or outsourced log monitoring?
A: The specifics behind the guidance are focused on capabilities. There is not any focus on how you realize these capabilities. Of course, if you use an outsource partner it brings the vendor management components into play.

Q: We were told during an OCC exam last year, that service providers that are regulated by FDIC, etc. (for example correspondent banks and debit card processing vendor) need not be scrutinized so closely. However, I’m wondering if I should ask for audit results even for those service providers.
A: Yes, you should ask for IT examination results from the supervisory agency. Additionally, you should take a risk-based approach to ensure any other controls that you need are in place and working. For example, if someone is hosting your web application, in addition to getting their agency examination results you may want to seek additional validation about their web controls.

Q: Is reviewing of financials for vendors required as part of Vendor Oversight requirements? If so, is it just required for vendors with access to confidential info?
A: It is required for any critical vendor. Criticality does not just follow GLB data but also continuity of the institution, risk to reputation, etc.

We had a very interactive webcast discussing these topics impacting banks on Thursday, January 24. In particular, many attendees shared their experiences with the new FIL questionnaire. We’ve edited and summarized some of the comments here. Look for more blog posts regarding this webcast in the next week. Thanks to everyone who shared information!

Helpful Links:

FDIC site: FIL-105-2007

FDIC site: Instructions for Completing the Information Technology Examination Officer’s Questionnaire

SecureWorks site: Archive of the webcast, “Regulators Raise the Bar: Latest FIL’s and Rules”

Who has received the questionnaire?

Q: Have you received the questionnaire? Have you been examined using the new questionnaire?

A: Of those who responded, 63% had received the questionnaire. Less than 5% had been through a full audit with the new questionnaire. Two other observations: First, no one that mentioned being an OCC bank had received the questionnaire. Second, a sizable percentage had received it from another source, such as state examiners or internal audit groups.

Comments on the questionnaire and examinations

“During the FDIC audit our bank completed in October, there was significant emphasis on vendor management oversight, security and business continuity. If you have a solid internal Audit Dept that has reviewed your overall procedures, it makes the overall process much easier.”

“I went through this FDIC exam a couple of months ago, and they killed me with the patch management procedures and the audit logs. They wanted to know exactly what the SecureWorks scan we had previously done had scanned for. The examiners also wanted me to set up a test server with a test PC to test OS patch management before releasing to the production network.”

“I went through the FDIC exam in November and it was the toughest exam I have been through in my 31 year career in banking.”

“Be very careful in having all policies written, complied with, updated and reviewed annually.”

“Have audit procedures in place for everything. Keep logs, review logs, have everything in writing and comply to the letter with what you have written.”

Next week, we’ll provide our take on some of the other questions we received.

A weekly feature highlighting news stories, reports and editorials of interest to IT and security managers. Also see stories including SecureWorks staff or research, press releases, and research.

The Wall Street Journal: Web Scammer Targets Senior U.S. Executives
Features SecureWorks analyst Joe Stewart.

The Boston Globe: Visa fines bank after losses in TJX breach

SecurityFocus: Electronic Jihad rears its head, again

A weekly feature highlighting news stories, reports and editorials of interest to IT and security managers. Also see stories including SecureWorks staff or research, press releases, and research.

Reuters: Fed publishes final rules combating identity theft

US-CERT: Federal Trade Commission Reports Spoofed Email

Government Executive: Reports of federal security breaches double in four months

A weekly feature highlighting news stories, reports and editorials of interest to IT and security managers. Also see stories including SecureWorks staff or research, press releases, and research.

internetnews.com: How to Fight The Onslaught of Security Threats

msnbc: TJX breach could top 94 million accounts

CSO: The 80/20 of Managing Software Risk

A weekly feature highlighting news stories, reports and editorials of interest to IT and security managers. Also see stories including SecureWorks staff or research, press releases, and research.

eWeek: Governor Kills California Data Protection Law
ComputerWorld: Schwarzenegger says ‘Hasta la vista’ to bill on data breach costs
Gartner: PCI-Standards-Based Data Security Bill Was Rightfully Terminated
Internet security legislation was vetoed in California - and Gartner thinks it was the right decision to make.

ComputerWorld: Experts say proposed security standards for power grid not enough

bMighty: How to Stop Snarfing and Other Common Switch Hacks

Dark Reading: Small Business: Hackers’ Low-Hanging Fruit

ComputerWorld: Retailers Take Swipe at PCI Security Rules

A weekly feature highlighting news stories, reports and editorials of interest to IT and security managers. Also see stories including SecureWorks staff or research, press releases, and research.

PC World: Hacking Damage Limited, Bank Reports

SearchSecurity.com: How Russia became a malware hornet’s nest

CIO: Hacker Economics 1: Malware as a Service

A weekly feature highlighting news stories, reports and editorials of interest to IT and security managers. Also see stories including SecureWorks staff or research, press releases, and research.

SearchSecurity.com: Misconceptions about information security outsourcing
Khalid Kark from Forrester Research looks at enterprise adoption of security outsourcing. Also, see SecureWorks’ press release regarding Forrester’s first MSSP Wave.

ComputerWorld: Four reasons why some big retailers are still not PCI-compliant

SearchSecurity.com: How Chevron met the PCI DSS deadline

SecureWorks Press Release: Number of Hackers Targeting Utilities Increases 90 Percent According to SecureWorks’ Data

Dark Reading: SecureWorks: Attacks on Utility Users Increase 90%