Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Slashdot Deals: Deal of the Day - Pay What You Want for the Learn to Code Bundle, includes AngularJS, Python, HTML5, Ruby, and more. ×

Journal Journal: PCI from a consumers point of view

I'm a computer programmer and application security instructor from a well known application security organization. About 6 months ago I was at a vacation resort that I am very fond of. They took my credit card number at the time of making a reservation, and still had it on file when I arrived. Near the end of my stay, one of the staff found out that I was an IT professional, and took me to see the head of the resort. I was one week into daily massages and hot tubs and I would have helped the devil if asked, I felt so relaxed. They asked me to poke around their computer network to see how it was running. After interviewing many of the key staff and having a rather rude encounter by the very anti-social network admin, I found out that:
  • They run active directory on a windows (XP Pro) network with around 30 computers.
  • The wireless network was all WEP, restricted to just a few employees use.
  • All machines were locked down to give users as little access as possible.
  • The one computer I reviewed had virus protection that had signatures 3+ months old.
  • They use the WEP wireless network to send credit card information on a daily basis from one of the outlying massage centers to the main office.
  • They are storing all credit cards for the last 10 years in a password protected MS Access database that is on the network as well as in their the registration system.

Now, I'm not a hands-on expert at network security. But I suggested that they stop storing so many (30,000+) credit cards for so long. It seemed foolish due to what I guessed was lax security and storage. Certainly far from PCI compliance.

So what do I do, call the PCI police? This resort is near and dear to my heart but after taking me away from my vacation to help them review their systems, seek my advice, ignore it, and continue to store my info, what is a AppSec geek to do?

"Sometimes insanity is the only alternative" -- button at a Science Fiction convention.