Sorry, forgot to reply to your quoting me about false sense of security. Let me explain myself.
It is relatively easier to forget real security concerns (such as [really] bad coding) when one follows a checklist for "high security" (quoting pcisecuritystandards.org). Unless I missed something (which I don't think I did) PCI/DSS doesn't help at all since it is putting security methodologies over your project manager's desk, rather then get a IT Security specialist do the job. Cheers. On Sat, Apr 24, 2010 at 12:33 AM, Christian Sciberras <[email protected]>wrote: > No problem with that. > > 1) No. > 2) Planning to, but no. > 3) Heavens no. > 4) I've looked into whether it was into our best interest to use PCI. (it > was decided that it wasn't worth the trouble) > At that time, I knew about PCI but not its details, at which point we got > someone to explain in detail for us. > The end decision wasn't mine, though. > We do take security as a main concern, however, it is preferred to have a > more realistic approach to security rather then restrict employees' access > (by signing some oath..). > > Regards, > Christian Sciberras. > > > > > > On Sat, Apr 24, 2010 at 12:22 AM, Thor (Hammer of God) < > [email protected]> wrote: > >> Marketing propaganda? I have no idea what you are talking about. >> >> >> >> Before commenting on PCI not helping at all and at the most being a false >> sense of security, let me ask: >> >> 1) Does the company you work for perform PCI audits? >> >> 2) Is the company you work for required to undergo PCI audits? >> >> 3) Are you certified to be able to perform a PCI audit? >> >> 4) Have you ever been directly involved with, as in contributing to, >> a PCI audit, and if so, in what capacity? >> >> >> >> I would like to see some truthful expansion on the answers to those >> questions before continuing dialog about if PCI contributes to security or >> not. >> >> >> >> t >> >> >> >> *From:* Christian Sciberras [mailto:[email protected]] >> *Sent:* Friday, April 23, 2010 3:02 PM >> *To:* Mike Hale >> *Cc:* Stephen Mullins; full-disclosure; [email protected]; >> Thor (Hammer of God) >> >> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds >> >> >> >> If you strive for security, and weave that into your network, >> complying with PCI should be cake. >> >> Uhm.. No. NO. PCI is an unnecessary hassle. What makes signing a document >> any more secure then having server facing the wild of the net? >> >> Truth is, PCI doesn't help in security at all. It at most a sense of false >> security (and at least serves as a recreational exercise for auditors). >> >> Thor, I'm not arguing with the article, since I didn't read it, and I >> won't bother to. I just want to point out some hard facts about PCI/DSS >> which you call "no big deal". >> I surely agree with that, but what is not a big deal for you doesn't mean >> it ain't for the rest of the world. >> What stops an uninformed programmer from complying with PCI/DSS (or at >> least, think to) and leave RFI/XSS/whatever holes everywhere? >> That said, security flaws are just about everywhere so no need to get >> critical about it. For now at least. >> >> The point isn't "who" should be using credit cards or not, it's a matter >> of security. >> >> I find it strange that you're excusing marketing propaganda. >> >> Sincere regards, >> Christian Sciberras. >> >> >> On Fri, Apr 23, 2010 at 7:42 PM, Mike Hale <[email protected]> >> wrote: >> >> Look at the PCI requirements. >> >> What's unreasonable about them? Which portions are *NOT* part of >> having a secure network? >> >> If you strive for security, and weave that into your network, >> complying with PCI should be cake. >> >> >> On Fri, Apr 23, 2010 at 10:40 AM, Stephen Mullins >> <[email protected]> wrote: >> >>I don't see what the hubbub is >> > >> > Some people in the information security industry actually care about >> > securing systems and the information they contain rather than filling >> > in check boxes. Compliance may ensure a minimum standard is met, but >> > it does not ensure or imply that real security is being maintained at >> > an organization. >> > >> > As you say, PCI has become a cost of doing business whereas having a >> > secure network is apparently not a cost of doing business. This is a >> > problem. >> > >> > Crazy notion, I know. >> > >> > On Fri, Apr 23, 2010 at 1:18 PM, Thor (Hammer of God) >> > <[email protected]> wrote: >> >> How can you say it is “wasted”? It doesn’t matter if you are a “fan” of >> it >> >> or not, in the same way that it doesn’t matter if you are a “fan” of >> the 4% >> >> surcharge retail establishments pay to accept the credit card as >> payment. >> >> Using your logic, you would way it is “wasted money,” and might bring >> into >> >> question the “value” of the surcharge, etc. It is simply a cost of >> doing >> >> business. >> >> >> >> >> >> >> >> If you choose to offload processing to a payment gateway, then that >> will >> >> also incur a cost. Depending on your volume, that cost may or may not >> be >> >> higher than you processing them yourself while complying to standards. >> The >> >> implementation of actual security measures will be different. But you >> can’t >> >> “handle” credit cards in the classic sense of the word without >> complying >> >> with PCI. If you pass along the transaction to a gateway, you are not >> >> handling it. If you DO handle it, then you have to comply with PCI. >> If you >> >> process less than 1 million transactions a year, you can “self audit.” >> If >> >> you process more, you have to be audit by a PCI auditor. >> >> >> >> >> >> >> >> None of this MEANS you are secure, it means you comply. If you don’t >> like >> >> PCI, then don’t process credit cards, or come up with your own. I >> still >> >> don’t really see what all the hubbub is about here. >> >> >> >> >> >> >> >> t >> >> >> >> >> >> >> >> From: Christian Sciberras [mailto:[email protected]] >> >> Sent: Friday, April 23, 2010 9:29 AM >> >> To: Thor (Hammer of God) >> >> Cc: Christopher Gilbert; Mike Hale; full-disclosure; >> >> [email protected] >> >> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds >> >> >> >> >> >> >> >> it is simply part of the cost of doing business in that market. >> >> A.k.a. wasted money. Truth be told, I'm no fan of PCI. >> >> Other companies get the same functionality (accept the storage of >> credit >> >> cards) without worrying about PCI/DSS (e.g. through Payment Gateways). >> >> In the end, as a service, what do I want, an inventory of credit cards, >> or a >> >> stable payment system? The later I guess. >> >> As to security, it totally depends on implementation; one can handle >> credit >> >> cards without the need of standards compliance. >> >> >> >> My two cents. >> >> >> >> Regards, >> >> Christian Sciberras. >> >> >> >> >> >> On Fri, Apr 23, 2010 at 6:07 PM, Thor (Hammer of God) < >> [email protected]> >> >> wrote: >> >> >> >> Another thing that I think people fail to keep in mind is that when it >> comes >> >> to PCI, it is part of a contractual agreement between the entity and >> card >> >> facility they are working with. If a business wants to accept credit >> cards >> >> as a means of payment (based on volume) then part of their agreement is >> that >> >> they must undergo compliance to a standard implemented by the >> industry. I >> >> don’t know why people get all emotional about it and throw up their >> hands >> >> with all the “this is wasted money” positioning – it’s not wasted at >> all; it >> >> is simply part of the cost of doing business in that market. >> >> >> >> >> >> >> >> t >> >> >> >> >> >> >> >> From: [email protected] >> >> [mailto:[email protected]] On Behalf Of >> Christopher >> >> Gilbert >> >> Sent: Thursday, April 22, 2010 4:48 PM >> >> To: Mike Hale >> >> Cc: full-disclosure; [email protected] >> >> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds >> >> >> >> >> >> >> >> The paper concludes that companies are underinvesting in--or improperly >> >> prioritizing--the protection of their secrets. Nowhere does it state >> that >> >> the money spent on compliance is money wasted. >> >> >> >> On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale <[email protected]> >> >> wrote: >> >> >> >> I find the findings completely flawed. Am I missing something? >> >> >> >> >> >> >> >> _______________________________________________ >> >> Full-Disclosure - We believe in it. >> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> >> >> >> >> >> _______________________________________________ >> >> Full-Disclosure - We believe in it. >> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> > >> > _______________________________________________ >> > Full-Disclosure - We believe in it. >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> > >> >> >> -- >> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 >> >> _______________________________________________ >> >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
