I 'know' the name of the new payment processor breach

[security curmudgeon <jericho () attrition org>]

Back in elementary school, one of my AP classes had me doing these complex 
'deduction' puzzles, where they gave you a small list of facts, and you 
filled in a table. A check box for a match, an X for a non-match. Doing 
this, you could know that Sally likes Coke and Bob likes Pepsi, then 
deduce that Dave likes beer. So instead of over-thinking all of this, 
let's stay simple and use basic deduction:

: The new Compliant Service Provider list that Visa maintains is due to be 
: updated in about a week. Merchants are required to make sure their 
: service providers are PCI complaint and most rely on this list. 
: Currently Heartland and RBS Worldpay are listed as "* Current PCI DSS 
: status is under review".  If they know of another processor that is 
: currently breached shouldn't they reflect that on the list so merchants 
: can stay compliant with 12.8.4. If not, what is the point of publishing 
: the first place if it's not an accurate reflection of a Service 
: Providers status?
: 
: http://usa.visa.com/merchants/risk_management/cisp_service_providers.html

1. Everyone involved is adament this is not Heartland:

Heartland rep saying it isn't them:
http://consumerist.com/5159047/another-month-another-massive-credit-card-data-breach

Even better, Fiserv, who claims to be involved in investigating the new 
breach, saying it is not Heartland:
http://www.mohavestbank.com/pdf/Alert_Feb_11_09_.pdf

2. The Visa/MC/PCI list of compliant organizations shows two companies 
as "Current PCI DSS status is under review"; 'Heartland Payment 
Systems' and 'RBS WorldPay Inc.'.

http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf

3. Power of deduction: 

- If Visa is being ethical by disclosing organizations under review due to incidents..
- If those involved are confirming 'not Heartland' but not confirming 'is RBS WorldPay'..

- Then the mystery breach is RBS WorldPay again, and everyone involved is 
being honest, just not giving full details and confirmation. Since RBS 
WorldPay was hit in December 2008, they are able to hide the new event in 
the murk of very recent history quite easily.


So there you go, simple deduction and we have a likely candidate. And just 
to get people talking, and more to the point questioning Visa/PCI, i'll 
bet one bottle of Scotch (12 y.o. minimum) I am right. Accept my bet 
(limit 3 people) and prove me wrong, i'll send you a bottle. When details 
emerge, if I am right, you send me a bottle.

- security curmudgeon

and sometimes

- Brian / DatalossDB
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

CREDANT Technologies, a leader in data security, offers advanced data encryption solutions.
Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently 
across your enterprise to ensure regulatory compliance.
http://www.credant.com/stopdataloss