Stephen Wilson in Lockstep

A post relating to this item from Finextra:

27 April, 2011 Massive Sony data breach leaves card details at risk More than 70 million Sony PlayStation Network customers are being warned to watch out for scams after the Japanese electronics giant admitted its systems have been hacked and personal information - possibly including credit card data - stolen.

Is Sony PCI DSS compliant?

27 Apr, 2011 17:39

It's been over a week and a zillion blog posts and tweets have already circulated about the PlayStation Network breach. Yet one security issue has yet to be canvassed. I'm more than a little surprised.

Sony advised its customers: "If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising you that your credit card number (excluding security code) and expiration date may also have been obtained".

So, does anyone know if Sony is PCI-DSS compliant?

Does anyone care?

Comments

Added: 28 April, 2011 - 13:31 | Keith Appleyard - available for hire - Bromley

Today (Thu) we have Sony providing some reassurance, saying "The entire credit card table was encrypted and we have no evidence that credit card data was taken."

Assuming they've used strong cryptography, then they appear to be PCI-DSS compliant.

0 thumb ups! (Log in to thumb up)

Added: 30 April, 2011 - 09:02 | Stephen Wilson - Lockstep Group - Sydney

Keith,

We're getting warm. And yet we cannot be left assuming that Sony's cryptography is strong. After all, one would have assumed they would hash their passwords.

The question still is, was Sony certified as PCI compliant?

I tried Google News for "sony pci compliant" and funnily enough the third top hit was actually my blog post above! Hits no. 1 and 2 concerns Sony's own claims to have met the PCI encryption requirement.

It's frankly amazing that the PCI status of such a huge merchant is still uncertain days and days after the breach.

0 thumb ups! (Log in to thumb up)

Added: 03 May, 2011 - 14:54 | Keith Appleyard - available for hire - Bromley

Well we've now got Sony admitting that they had a database that dates back to 2007 that was compromised.

PCI-DSS 3.1 states "Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes"

Well once you've been paid by the Credit Card Issuer / Direct Debit Bank, why keep the data longer than say 3 months, rather than 3 years?

So even if Sony did a self-assessment, I don't think they can hand on heart say that they were PCI-DSS compliant as far as this particular database was concerned.

0 thumb ups! (Log in to thumb up)

Added: 06 May, 2011 - 19:24 | MaryAnn Allison - Payments Industry - Palm Desert

Both Visa and MasterCard publish vendors that are PCI compliant and keep it current. The one below was updated on 2 May, 2011.

The link for MasterCard's list is:

http://www.mastercard.com/us/company/en/docs/Compliant%20Service%20Providers%20-%20May%202%202011.pdf

MaryAnn

0 thumb ups! (Log in to thumb up)

Added: 07 May, 2011 - 13:47 | Keith Appleyard - available for hire - Bromley

MaryAnn - thanks for the list, but it appears to be a USA only list - so not surprised if Sony don't appear on it.

0 thumb ups! (Log in to thumb up)

Added: 07 May, 2011 - 16:39 | MaryAnn Allison - Payments Industry - Palm Desert

Both card schemes only keep one list for all approved vendors and do not differentiate across regions. Their lists will be very similar, with a few exceptions.

The MasterCard list is just easier to find than Visa's. And you are correct, Sony is not on the list.

0 thumb ups! (Log in to thumb up)

Added: 07 May, 2011 - 17:41 | Keith Appleyard - available for hire - Bromley

MaryAnn - I can't believe that this is the master list - because not a single one of the 10 largest retail stores in UK/France/Germany/Spain appear on this list.

0 thumb ups! (Log in to thumb up)

Added: 07 May, 2011 - 18:51 | MaryAnn Allison - Payments Industry - Palm Desert

Hi Keith,

Since I am viewing this list from the public MasterCard.com website, you may have a point. There is a different list via a MasterCard supplied user id for their extranet MOL (MasterCard Online) that I am more accustomed to viewing, which is the one stop shop.

If you are comfortable with different languages, you may want to give this a go yourself to do some checking in Europe. Here is a link to give you a start, the rest is intuitive but I do a search on "pci compliant vendors".

http://www.mastercard.us/?html_get=/mccomsrch/ui.jsp%3Fui_mode%3Dnavigate%26charset%3DUTF-8%26language%3Den-US%26facet%3DMCCOM.Personal%26facetCollectionID%3D%26structured_chart%3D%26question_box%3Dpci%20compliant%20vendors%26searchtext%3Dpci%20compliant%20vendors

This screen offers the selection of region/language. Once you have made your selection and are sent to the next screen I recommend you choose Issuers in the upper right hand corner. Then do your search for PCI compliant vendors.

I'm off to escape the 100F temps and headed to the beach for the rest of the weekend. Good luck!

MaryAnn

0 thumb ups! (Log in to thumb up)

Added: 11 May, 2011 - 23:20 | John Dring - Amdocs Digital Services - London

Just a slight aside - I found it typical that the welcome page for MC shows a consumer 'handing over their chip and pin smart card' to the merchant ( http://www.mastercard.com/global/). There is never a need to part with ones chip and pin with a reputable merchant!

On the Sony debacle - I think it shows me that the PCI standard is more of a best practices guideline than a policed standard.

0 thumb ups! (Log in to thumb up)

Added: 12 May, 2011 - 03:43 | MaryAnn Allison - Payments Industry - Palm Desert

Hi John,

Yes, I agree you may be on to something here. The list is typically used by financial institutions as a resource to review as part of their annual due diligence of their partners. The purpose of the PCI Compliant vendors list is for both card schemes to identify the parties that they acknowledge as having passed a PCI audit. Visa goes an extra step and sends an acceptance letter, which the banks also request of their service provider.

I also find it interesting that no one else has come forward with any additional information. There must be someone out there who could provide a global list from one of the card scheme's extranets. In the meantime, whilst we speculate, it is risky to assume if Sony is not on the list, they might not be PCI compliant without knowledge of how their relationship with the card schemes is structured. It is entirely possible that Sony are indeed working within established guidelines.

I find the silence to be an interesting commentary in and of itself.

0 thumb ups! (Log in to thumb up)

Added: 12 May, 2011 - 21:06 | Stephen Wilson - Lockstep Group - Sydney

John Dring wrote "Sony ... shows me that the PCI standard is more of a best practices guideline than a policed standard".

Channelling Captain Jack Sparrow, Pirates of the Carribean, are we? ;-)

0 thumb ups! (Log in to thumb up)

Added: 12 May, 2011 - 23:32 | Stephen Wilson - Lockstep Group - Sydney

But seriously folks, I agree with MaryAnne Allison that the silence is remarkable. As I suggested at the outset, maybe nobody really cares anymore?

Now, disenchantment with PCI is a real story.

The PCI regime is a hugely expensive exercise with uncertain impact on cybercrime. Vast volumes of card numbers continue to be stolen. And like so many audit regimes of the past, when certified organisations fail -- whether it be financial collapse, quality lapse, or security breach -- endless legal debates break out about the very meaning of audit. It's a bit late for this argument isn't it?

I've had numerous PCI QSAs tell me that their inspections only provide a snapshot, and it's not their fault that companies might be breached in between visits. Seriously?! If PCI certification doesn't provide some confidence about security all the time, and not just when the QSA is looking, what good is it? Tick box auditing has sunk to new lows when QSAs can so quickly distance themselves from problems like this.

If PCI is supposed to be so important, then surely by now there would be definitive news about the status of Sony. All we have is the company's own assertions that the card numbers were "encrypted" and that therefore they were PCI compliant. No naming of an actual QSA. No clear white lists from the card companies. And no testing of this "encryption" claim.

I had a laptop with encrypted HDD crash on me once, with total loss of the motherboard. My IT guy took out the disk drive, plugged it into a another machine, and cracked the key in less than an hour. All my data was retrieved. If the PSN security designers couldn't even be bothered hashing the members' passwords, then I have little confidence that they knew what they were doing with encryption.