Shostack + Friends Blog Archive

The following is not to be construed as legal advice. Or anything else.

The acronym “IANAL” is no doubt familiar to anyone reading these words. Well, I Am Not A Lawyer, but Paul Rianda is, and he wrote an interesting article for Transaction World’s September 2005 issue, that I happened to run across.
In it, Mr. Rianda, esq., discusses his view of why the breaches we are all familiar with have occurred, what the credit card folks have done about it, and the likely ramifications. Herewith, some fair-use excerpts:

A dedicated and intelligent hacker can potentially compromise any database in spite of the PCID standards or any of the other security standards developed by Visa and MasterCard. The fact that such standards are widely utilized and published allows hackers the ability to study them and find ways to work around them. Also, when numerous organizations use the same standards, it leads to a situation where if hackers can compromise one database they may be able to find ways to breach others because the databases are secured in a similar manner.
[…]
However, the likelihood of any such credit card processor like CardSystems going out of business to the detriment of their agents and merchants is extremely remote.

This was published after CardSystems was dropped as a processor by Visa.
Earlier in the article, Mr. Rianda, esq. opines that “The PCID [sic] standards are, to a large extent, common sense necessary to secure any type of computer network.”
As I say, IANAL, but if the standards are common sense, how does publishing them help the bad guys? Also, CardSystems was bought out in a mostly-stock transaction in October, 2005.

Originally published by cwalsh on 3 Feb 2006
Last modified on 3 Feb 2006
Categories:   breaches   information security   Uncategorized