SecurityCurve Weblog

Puttin' the ASS in Assessment...

In the most recent "it's everywhere you wanna be" news, have you seen this? Apparently, CardSystems CEO presented testimony before congress stating that the people really at fault for the CardSystems debacle wasn't the CardSystems executives who decided not to take basic security measures nor was it the developers who knowingly stored account data contrary to VISA operating procedures. No, according to them the failure really lies at the feet of the ones directly responsible for securing the data - their PCI assessor. Oh clearly.

Of course, the assessors weren't there to defend themselves during the testimony nor were they brought in to discuss how the scope for their assessment was defined. They did retort to the press after the blitzkreig, however:

As to the core issue of the quality of the audit, Hancock said the improperly retained magstripe data was absolutely not on any of the machines that his team inspected; the team's mission was to inspect all of the machines that were involved with Visa transactions. "The truth is that the people who did the audit are card-carrying certified information systems professionals," Hancock said. "We examined the systems and there was nothing there. The systems were directly examined. We were very meticulous about that."

So the issue is that the assessor didn't psychically know which of those machines they weren't told about by CardSystems was operating in direct defiance of VISA regs. Nice.

Thanks to Dave N. for passing along the story, and thanks to HoffCards for the awesome service (used to generate the picture above.)