--- On Mon, 7/27/09, Michael Graham <[email protected]> wrote:
> PCI means well, and it's relevant (and sometimes useful) at the
> smaller merchant levels because many of them will just
> ignore security concerns otherwise, but it's _well_ past time that we in
> the security profession stopped acting like PCI has anything to do with
> security posture or risk exposure in large or high-volume
> companies.
I still think PCI is fine for what it is, but confusing it with "all I need to
do to secure myself" is the problem. What the DSS is is a
least-common-denominator of some of the things that should be done, as could be
agreed to by a committee of lawyers. As far as that goes it is correct: you
should in fact have a firewall, configure it, separate data.... But thinking
that achieving PCI compliance is all anyone needs to do - particularly, as you
say, in large shops - is rank madness.
I'll take them at their word that they passed a PCI audit, the SSC will be
extremely cranky with them if they say they did when they didn't. But I would
want them to have at least setup serious monitoring of traffic (as is not
required by PCI) and preferably application behavior if at all possible, too -
which is highly unlikely what they did.
I'm thinking you could argue that the DSS actually makes things worse by
lulling folks into a false sense of security, but I'm willing to be that these
same folks would have done no more (and maybe less) without it...
-chris
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
