On Mon, 23 Mar 2009, Alex Eckelberry wrote: > I agree, PCI is a stupid, idiotic standard but it does force some basic > best practices.
But it doesn't. A) you can choose which level of security you want to be under, and at least some banks are happy if you choose the lowest, even if it's plainly wrong. At the lowest level of security, you're required to do bugger-all. B) you get compliant by self-certification, and if you decide that any of the requirements are not applicable, you can avoid them. C) you choose which of your IP addresses are tested by the outside auto-tester. > But to think it's a fix is "whistling past the graveyard". > > Alex > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Anton Chuvakin > Sent: Monday, March 23, 2009 8:01 PM > To: [email protected] > Subject: Re: [funsec] The PCI sky *isn't* falling! > > > same answer: "I don't participate in security theater." I think this > > First, I am amazed how people so intelligent can hold opinions so > shortsighted :-) > > I'd say that PCI DSS did more to information security than *anything > else* since Windows added automated updates. > > Now, I've said it :-) > > But if you are looking for a proof of this, it is actually elsewhere: > that mentioned "security theater" actually made people who were > COMPLETELY ignoring security look at security - and then screw it up. > And you know what? I think such motion from total ignorance to doing "a > piss-poor job" of security represents a huge progress for such, mostly > small, organizations. > > Now, some might say that my argument is of the type "Why do 99% of > lawyers give the rest a bad name?", but it is not. I am pretty sure that > even companies that "do it just the auditor" or, worse, deceive their > PCI assessor still gain a tiny fraction of risk reduction, both for > themselves - and for the rest of us. > > _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
