maravis.com

Microsoft has confirmed reports that Hotmail accounts were compromised. These account credentials were stolen using a phishing attack, which means they were stolen from users rather than from Microsoft websites. The accounts were posted on October 1st to pastebin.com. The accounts included Windows Live Hotmail accounts with email addresses ending in hotmail.com, msn.com and live.com.

Update: In the Oct 2011 issue of the assessor updates, the PCI SSC has addressed the use of logos. “PCI DSS Compliant”, “PCI DSS Ready”, and other variations that combine a portion of the SSC’s official logos with an organization’s own marketing text and/or graphics is not permitted, either in printed marketing collateral, business cards, or web sites.

The PCI SSC is a standards-setting body, and makes no determination as to any individual organizational compliance status. The use of such unauthorized logos not only creates confusion in the marketplace by mistakenly implying recognition of a compliance status, or the endorsement of, an organization by the Council, but also the use of these logo variations constitutes an infringement of the Council’s trademark and copyright rights, and the PCI SSC is obligated to enforce its intellectual property rights in order to further the organization’s mission and objective.
With this in mind, should you receive inquiries on this topic, please ensure your clients understand the role the Council plays in the compliance process; that we do not determine compliance, and that their use of these logos is not permitted.

I just read an article in SC Magazine that says that some vendors are calling for a logo that can be displayed by PCI compliant companies. The idea is that being compliant can be used as a marketing tool and that a lot of companies are not able to communicate the impact of being compliant properly. If they had a logo on their website, people will know right away.

Almost all the major data breaches that have happened in the last 2 years have involved companies that were supposed to be PCI compliant. If being compliant meant that they were secure, then how could they have been breached?