On Friday 13 August 2010 11:33, eric.lengve...@wellsfargo.com wrote:
> I'd like to clarify a bit. PCI-DSS wasn't developed by the big banks. It
> isn't usually enforced by big banks except insofar as they are liable for
> PCI-DSS compliance when outsourcing to or partnering with other companies.
> So they may be forcing it on the SMBs you've worked with because they're
> liable in some way.
> PCI-DSS was the brainchild of Visa. I'm a member of X9F (X9F6 is the
> payment card security standards committee) and we wrote an open letter back
> in 2005 to Visa and Mastercard asking them not to set new, separate
> standards for the financial sector but to work from within X9F. They
> ignored us. Even though you clearly indicate that they aren't truly
> voluntary via your use of quotes, when the PCI group (VISA et al.) can
> unilaterally level huge fines and/or penalties for non-compliance they
> really are compulsory.

Also, PCI certification requires that all of your partners (anyone you 
exchange payment card information with) be PCI compliant. At the level I work 
at, it's compulsory. Presently, it seems to apply to anyone taking payment 
cards over the web, and seems to be working its way down the food chain to 
brick and mortar vendors. <sarcasm> For me, it's the equivalent of a 
congressional full employment act, so I'm not complaining a lot. </sarcasm>

> Luckily, PCI-DSS compliance != security. Or is that unluckily because of
> how much money is wasted complying that could be better spent securing.

The latter. And for many, many, many other reasons than just the financial 

Jeff Simmons                                   jsimm...@goblin.punk.net
Simmons Consulting - Network Engineering, Administration, Security
"You guys, I don't hear any noise.  Are you sure you're doing it right?"
        --  My Life With The Thrill Kill Kult

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to