[Dataloss] I 'know' the name of the new payment processor breach
security curmudgeon
jericho at attrition.org
Thu Feb 26 13:48:18 CST 2009
Back in elementary school, one of my AP classes had me doing these complex
'deduction' puzzles, where they gave you a small list of facts, and you
filled in a table. A check box for a match, an X for a non-match. Doing
this, you could know that Sally likes Coke and Bob likes Pepsi, then
deduce that Dave likes beer. So instead of over-thinking all of this,
let's stay simple and use basic deduction:
: The new Compliant Service Provider list that Visa maintains is due to be
: updated in about a week. Merchants are required to make sure their
: service providers are PCI complaint and most rely on this list.
: Currently Heartland and RBS Worldpay are listed as "* Current PCI DSS
: status is under review". If they know of another processor that is
: currently breached shouldn't they reflect that on the list so merchants
: can stay compliant with 12.8.4. If not, what is the point of publishing
: the first place if it's not an accurate reflection of a Service
: Providers status?
:
: http://usa.visa.com/merchants/risk_management/cisp_service_providers.html
1. Everyone involved is adament this is not Heartland:
Heartland rep saying it isn't them:
http://consumerist.com/5159047/another-month-another-massive-credit-card-data-breach
Even better, Fiserv, who claims to be involved in investigating the new
breach, saying it is not Heartland:
http://www.mohavestbank.com/pdf/Alert_Feb_11_09_.pdf
2. The Visa/MC/PCI list of compliant organizations shows two companies
as "Current PCI DSS status is under review"; 'Heartland Payment
Systems' and 'RBS WorldPay Inc.'.
http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf
3. Power of deduction:
- If Visa is being ethical by disclosing organizations under review due to incidents..
- If those involved are confirming 'not Heartland' but not confirming 'is RBS WorldPay'..
- Then the mystery breach is RBS WorldPay again, and everyone involved is
being honest, just not giving full details and confirmation. Since RBS
WorldPay was hit in December 2008, they are able to hide the new event in
the murk of very recent history quite easily.
So there you go, simple deduction and we have a likely candidate. And just
to get people talking, and more to the point questioning Visa/PCI, i'll
bet one bottle of Scotch (12 y.o. minimum) I am right. Accept my bet
(limit 3 people) and prove me wrong, i'll send you a bottle. When details
emerge, if I am right, you send me a bottle.
- security curmudgeon
and sometimes
- Brian / DatalossDB
More information about the Dataloss
mailing list