Look at the PCI requirements. What's unreasonable about them? Which portions are *NOT* part of having a secure network?
If you strive for security, and weave that into your network, complying with PCI should be cake. On Fri, Apr 23, 2010 at 10:40 AM, Stephen Mullins <[email protected]> wrote: >>I don't see what the hubbub is > > Some people in the information security industry actually care about > securing systems and the information they contain rather than filling > in check boxes. Compliance may ensure a minimum standard is met, but > it does not ensure or imply that real security is being maintained at > an organization. > > As you say, PCI has become a cost of doing business whereas having a > secure network is apparently not a cost of doing business. This is a > problem. > > Crazy notion, I know. > > On Fri, Apr 23, 2010 at 1:18 PM, Thor (Hammer of God) > <[email protected]> wrote: >> How can you say it is “wasted”? It doesn’t matter if you are a “fan” of it >> or not, in the same way that it doesn’t matter if you are a “fan” of the 4% >> surcharge retail establishments pay to accept the credit card as payment. >> Using your logic, you would way it is “wasted money,” and might bring into >> question the “value” of the surcharge, etc. It is simply a cost of doing >> business. >> >> >> >> If you choose to offload processing to a payment gateway, then that will >> also incur a cost. Depending on your volume, that cost may or may not be >> higher than you processing them yourself while complying to standards. The >> implementation of actual security measures will be different. But you can’t >> “handle” credit cards in the classic sense of the word without complying >> with PCI. If you pass along the transaction to a gateway, you are not >> handling it. If you DO handle it, then you have to comply with PCI. If you >> process less than 1 million transactions a year, you can “self audit.” If >> you process more, you have to be audit by a PCI auditor. >> >> >> >> None of this MEANS you are secure, it means you comply. If you don’t like >> PCI, then don’t process credit cards, or come up with your own. I still >> don’t really see what all the hubbub is about here. >> >> >> >> t >> >> >> >> From: Christian Sciberras [mailto:[email protected]] >> Sent: Friday, April 23, 2010 9:29 AM >> To: Thor (Hammer of God) >> Cc: Christopher Gilbert; Mike Hale; full-disclosure; >> [email protected] >> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds >> >> >> >> it is simply part of the cost of doing business in that market. >> A.k.a. wasted money. Truth be told, I'm no fan of PCI. >> Other companies get the same functionality (accept the storage of credit >> cards) without worrying about PCI/DSS (e.g. through Payment Gateways). >> In the end, as a service, what do I want, an inventory of credit cards, or a >> stable payment system? The later I guess. >> As to security, it totally depends on implementation; one can handle credit >> cards without the need of standards compliance. >> >> My two cents. >> >> Regards, >> Christian Sciberras. >> >> >> On Fri, Apr 23, 2010 at 6:07 PM, Thor (Hammer of God) <[email protected]> >> wrote: >> >> Another thing that I think people fail to keep in mind is that when it comes >> to PCI, it is part of a contractual agreement between the entity and card >> facility they are working with. If a business wants to accept credit cards >> as a means of payment (based on volume) then part of their agreement is that >> they must undergo compliance to a standard implemented by the industry. I >> don’t know why people get all emotional about it and throw up their hands >> with all the “this is wasted money” positioning – it’s not wasted at all; it >> is simply part of the cost of doing business in that market. >> >> >> >> t >> >> >> >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Christopher >> Gilbert >> Sent: Thursday, April 22, 2010 4:48 PM >> To: Mike Hale >> Cc: full-disclosure; [email protected] >> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds >> >> >> >> The paper concludes that companies are underinvesting in--or improperly >> prioritizing--the protection of their secrets. Nowhere does it state that >> the money spent on compliance is money wasted. >> >> On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale <[email protected]> >> wrote: >> >> I find the findings completely flawed. Am I missing something? >> >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
