I disagree, based on the article it seems clear that auditor does have liability. Audits are done to verify the systems meet some predetermined level of security, to meet this level requires having certain things in place (Firewall, Encryption, etc.) In this particular case CardSystems was certified as compliant with the CISP standards. However the nature of the breach shows how they were in fact not in compliance.
"The data belonged to card transactions that CardSystems had retained on its system and stored in unencrypted format, both violations of CISP standards"
This could indicate 2 things, 1 that Savvis did an underwhelming job during the audit, or that after the audit CardSystems dramatically altered its infrastructure in such a way that data that once sat in an encrypted state OFF its own systems now do. As someone who manages a fairly large infrastructure I find it difficult to believe that CardSystems drastically altered its systems in a 1 year +/- timeline (Audit Certification date to Hack Discloser), corporate red tape being what it is and all.
Considering some of the points in the article such as "Yet Heartland Payment Systems and RBS WorldPay, two processors that recently experienced large breaches, were certified compliant before they were breached. And Hannaford Bros. was certified in February 2008 while an ongoing breach of the company’s system was underway." seems to indicate that there are some lackluster audits going on.
I'm not sure about rational or not, however from my personal experience selling the odd item here and there I've noticed the following trend. Items I've listed never sell with only 1 bidder. I've had almost every auction item go as follows:
Step 1: List item at lowest price you think you will accept.
Step 2: When auction ends relist the item about 15-20% cheaper but increase the shipping and handling fee.
Step 3: Auction ends about 25% above my initial listing price and with about 5 or 6 interested bidders.
Its as if no one wants to make the first move, but when someone does its like chumming the waters.
So I guess based on my decidedly non-scientific methods I would say that eBay auctions are definetly not rational.
RSS
Twitter
Re: (as RVSpinX)
I disagree, based on the article it seems clear that auditor does have liability. Audits are done to verify the systems meet some predetermined level of security, to meet this level requires having certain things in place (Firewall, Encryption, etc.) In this particular case CardSystems was certified as compliant with the CISP standards. However the nature of the breach shows how they were in fact not in compliance.
"The data belonged to card transactions that CardSystems had retained on its system and stored in unencrypted format, both violations of CISP standards"
This could indicate 2 things, 1 that Savvis did an underwhelming job during the audit, or that after the audit CardSystems dramatically altered its infrastructure in such a way that data that once sat in an encrypted state OFF its own systems now do. As someone who manages a fairly large infrastructure I find it difficult to believe that CardSystems drastically altered its systems in a 1 year +/- timeline (Audit Certification date to Hack Discloser), corporate red tape being what it is and all.
Considering some of the points in the article such as "Yet Heartland Payment Systems and RBS WorldPay, two processors that recently experienced large breaches, were certified compliant before they were breached. And Hannaford Bros. was certified in February 2008 while an ongoing breach of the company’s system was underway." seems to indicate that there are some lackluster audits going on.
Rational or mob mentality (as Rob)
I'm not sure about rational or not, however from my personal experience selling the odd item here and there I've noticed the following trend. Items I've listed never sell with only 1 bidder. I've had almost every auction item go as follows:
Step 1: List item at lowest price you think you will accept.
Step 2: When auction ends relist the item about 15-20% cheaper but increase the shipping and handling fee.
Step 3: Auction ends about 25% above my initial listing price and with about 5 or 6 interested bidders.
Its as if no one wants to make the first move, but when someone does its like chumming the waters.
So I guess based on my decidedly non-scientific methods I would say that eBay auctions are definetly not rational.