PCI Assessment Done - RIF'd -- Had Enough - Retire
by Jeff Bardin, The Brave New World of InfoSec
Thu, 2009-05-28 01:45
Topic(s): | | | |

Rumor has it that the top infosec professional at the MBTA in Boston is being laid off and that many seasoned vets have had enough and are taking retirement.  This just as a major PCI assessment and remediation effort had hit a tipping point (but not completed) as is being discussed over various virtual networks.  The budget says they strive to achieve the highest level of PCI compliance for 2009 (follow the link below). That means over  6 million credit card transactions go through MBTA systems (I would imagine the number is well over 6 million as a Level 1 Merchant). Does this data go through MBTA or a third party? So, the MBTA wants to take my PII, my credit card info and they still are not PCI compliant (are they or are they not?), and they are letting go their top infosec professional as well as other seasoned professionals. Can somebody out there either verify or refute this? Isnt' there someone else within the whole of the MBTA who is less vital that can be let go instead of the proverbial 'security guy?'  http://www.mbta.com/uploadedfiles/About_the_T/Financials/FY09%20Budget%20Book_Section_3.pdf  

When were Level 1 Merchants supposed to be compliant? I guess threatening potential lawsuits is more important than addressing actual issues.

I'll be sure to run out and get a new Charlie Card.  I wonder how many other Level 1 Merchants in Massachusetts could be ignoring PCI giving it only a glancing view.  I bet there are even organizations that offer PCI services who are not compliant themselves.  Anything is possible as the false impression of effort truly represents planned obfuscation.

 

» read more from Jeff Bardin | post a comment
Reader Feedback
Wed, 2009-06-03 18:36
Instant non compliance - just add pink slip
By Anonymous

The beauty of this, is that if the rumor is true, unless that CSO/CISO what ever at the MBTA is replaced, they are instantly non compliance with PCI DSS 12.5, and we all know that PCI DSS compliance is a pass/fail.

I can only imagine their compensating control.

» Reply | Report as spam
Wed, 2009-06-03 14:57
Audits just another report on the shelf
By Anonymous

Being a security consultant I have become used to the fact that the reports I do pointing out PCI and HIPPA violations, even major ones, will be ignored and will show up again on the next audit. The list usually is blatant, relatively simple to fix, and not all that hard on the budget. Will they fix them? Not likely.

However, California's SB-256 may cure this. The new agency is supposed to be primarily funded by fines from organizations that are non-compliant with state law, most of which maps to PCI/HIPPA requirements. We'll see how it shakes out over the next year or so.

» Reply | Report as spam

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
* Denotes a required field
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast