Let’s ask the Security Question: What was the RISK here? If a user chooses to hack the password and alter the document, they’re not hurting anyone but themselves. No forensic investigator s going to go by their altered document nor is it likely to stand up in front of a jury. Mom always said, “If you’re fooling yourself, you’re fooling the biggest fool of all”. IMHO the Council made a risk-based decision and chose to secure the document at a level they deemed appropriate. PCI DSS was never in play, either as a standard or a best practice.

I am advocating focus on REAL issues that matter to this community: lowering the cost and complexity of PCI by treating it as the business problem it is, identifying cost-effective steps for making PCI more accessible to small businesses (who represent the majority of compromises), identifying the impact of compliance-enabling technologies, or the explaining the advantages of getting to validated hardware and software to lower risk.

In general QSA’s have know how to unlock this document for a very long time(Insert Object –> Select file). I am not sure why they choose to lock it in the first place, but they have been doing this for years.

I do not think it is a fair statement to suggest that the council is following bad password practices for something as meaningless as protecting the integrity(vs confidentiality) of a document. There is a big difference in terms of value(and risk) in using weak passwords on a POS system and using a weak password to protect a document.

Now if someone were to hack into their portal and execute a successful SQLinjecton attack, that would be ironic.

i have proven to my QSA that we do not collect any card holder data within our system except for the last four digits… and i am still required to implement all 12 PCI requirements throuhout the whole IT landscape and infrastructure.
Yes, we are a retailer, and yes, we do a lot of credit card business… but we do not store card holer information other than the ccPAN masked, with only the last 4 digits visible. But that doesn’t seem to be enough to be PCI compliant ?

the irony in the PCI council though, as mentioned in the article… very enjoyable. :-)
Carsten

In another light I see this as one of the better standards as it does require companies and Government agencies to become better at security. To me it’s like the intro class to IT security for the dummies of management who have no clue how to spell security.

As far as the audits are concerned. I hope not to be disappointed. But we’re being audited by KPMG for PCI compliance. This is like Auditor appreciation week as we’ve decorated the office with all things for the auditor. The sign in sheet we put up at the computer room door with badges the Friday before the auditors come in. Management here thinks auditors are just stupid. And personally if these young wet behind the ears auditors buy off on all these fake decorations I have lost all faith in audit.

It appears they are asking some pretty interesting questions which indicate a lot of follow up to what I see as dead ends. Which I hope they address.

The problem to me is that in the past when auditors draft their findings they usually get fired. Then two years later we get a few more new kids come in with their check lists. I really hope these ‘kids’ are good at what they do, else management will celebrate how well they can pull the wool over the eyes of children.

The idea of a standard implies uniform application. There is no expectation that we deploy PCI across zones that are out of scope. Ergo there should be no expectation the Council do otherwise. There is enough expense, confusion, difficulty, concern, criticism, and mud-slinging in this environment already. Neither increasing the scope, cost, and complexity of PCI to areas out of scope, nor expecting the Council to act differently than those its standards govern, advances the cause of Information Security in general or cardholder data security in particular.

From the association that was created to inflict tissue-paper security protocols on the rest of the world, and whose mandate is to punish organizations that don’t build a proper steel safe to guard their used tissues?

Their foundations were built on irony. Why are you so surprised?