Shostack + Friends Blog Archive


Cardsystems Auditor

I can’t find the blog that discussed the irony of a Visa spokesperson claiming that PCI worked because of the auditor’s need to put their reputation on the line, but then refused to name the auditor. According to the New York Times, in “Weakness in the Data Chain,” it was Cable and Wireless:

In December 2003, CardSystems hired Cable and Wireless America as its outside computer systems security auditor.

“We followed the Visa rules to the letter and the people who did the work are longtime security experts,” said Bill Hancock, a security executive who oversaw the audit. He said CardSystems spent months upgrading its systems before the auditors submitted a report to Visa; CardSystems was certified in June 2004.