On Mon, 23 Mar 2009, Justin D. Scott wrote: > > I think such motion from total ignorance to doing > > "a piss-poor job" of security represents a huge > > progress for such, mostly small, organizations. > > There also many small companies that took one look at PCI and just gave up > entirely and outsourced anything that was in scope for compliance to a > larger company that specialized in payment processing. I can't tell you how > many busted shopping carts we've replaced with PayPal checkout. When their > online stores were built six or seven years ago, security wasn't as much of > a problem. Now, they see the cost of keeping processing on their own site > and go ahead with moving checkout to another service. They don't get the > "prestige" of having the checkout on their site, but their customers are a > whole lot safer as a result. Safer as in having a lot of eggs in one attractive basket is safer than lots of less-safe but not-worth-hacking baskets? Safer as in "big companies don't get hacked"?
But as well as being maybe safer, maybe less safe, they're certainly getting poorer customer service, because when you put an extra layer between a customer and the company, customer service has to suffer. You want to do your own processing, not for prestige, it's so that you can look after your customers much better. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.