Have you noticed that there has not been too much (well, really any) bad press around the PCI ecosystem lately? Perhaps everything is great! Doesn’t seem like we’ve had the same string of retail breaches that we saw in 2014 (which lead to this piece of research), even though 2016 was bad (good?) in general for cybercrime. A quick data dump from PrivacyRights.org says there are around 100 related to cards since 2016, but some appear to be duplicates (Wendy’s is reported multiple times). Of course, we found out about more problems at IHG last week. Seems like big security bloggers still talk about breaches, but we don’t see the same questions around PCI DSS that we did in 2014-2015.
Individuals certified or listed by the Council are bound to the PCI SSC Code of Professional Responsibility. The first bullet of item 3 suggests that blogs, tweets, LinkedIn posts, or other public conversation about PCI DSS and the Council that are considered negative could lead to action against the offending party. This Code of Professional Responsibility appears to apply to QSAs, ASVs, PA-QSAs, PFIs, ISAs, QIRs, and PCIPs, or simply, pretty much anyone the Council deals with. So if you want to praise them, green light ahead. Got something critical to say? Watch out.
Even Participating Organizations could find themselves running crossways with their status. Section 4 of the Rights & Responsibilities document aimed at POs could be interpreted in a way that a Participating Organization who talks about any negative experience related to PCI DSS or its ecosystem might lose their status. This may not be that big of a deal though (more on the value of being a PO later).
Kinda sounds like a poorly constructed homage to Nineteen Eighty-Four, doesn’t it?
Anyway, there are two things I want to bring to you today:
- A recent article entitled Information Avoidance discusses how people will actively avoid information, even though it is freely available, to avoid enduring the negative utility of that information. It’s a fantastic read and I made a ton of highlights on my copy. It’s a great way to explain a lot of what is going on with your crazy Uncle Jim who has some very strange views of reality, as well as show how some of these specialty news sites get their popularity and misinform the masses.
- An outlet for you to vent if you have crazy stories from the PCI ecosystem that have been dying to tell, but don’t have an avenue to do so (looking at you QSAs, PCIPs, ISAs, PFIs, PA-QSAs, and QIRs). Feel free to email them to QSAStories at protonmail dot com. It’s encrypted, it’s safe. I’m not sure what I plan to do with these messages, but at least it will be cathartic!
See you guys in the funny pages!
This is a Security Bloggers Network syndicated blog post authored by Branden Williams. Read the original post at: Branden R. Williams, Business Security Specialist