On Mon, Jul 27, 2009 at 4:47 PM, <ch...@blask.org> wrote: > > I still think PCI is fine for what it is, but confusing it with "all I need > to do to secure myself" is the problem. What the DSS is is a > least-common-denominator of some of the things that should be done, as could > be agreed to by a committee of lawyers. As far as that goes it is correct: > you should in fact have a firewall, configure it, separate data.... But > thinking that achieving PCI compliance is all anyone needs to do - > particularly, as you say, in large shops - is rank madness. > > I'll take them at their word that they passed a PCI audit, the SSC will be > extremely cranky with them if they say they did when they didn't. But I > would want them to have at least setup serious monitoring of traffic (as is > not required by PCI) and preferably application behavior if at all possible, > too - which is highly unlikely what they did. > > I'm thinking you could argue that the DSS actually makes things worse by > lulling folks into a false sense of security, but I'm willing to be that > these same folks would have done no more (and maybe less) without it... > > -chris >
This is essentially exactly what annoys me about PCI as it's often thrown around these days. It's difficult to find companies that need to be PCI compliant that are running real, serious internal risk management programs to make their own decisions about risk and avoidance/mitigation. Instead they have a lowest common denominator to apply and after that well it's not their problem. The mentality is obvious in the companies that suffer breaches and immediately blurt out "We were PCI compliant!" As if that's a defense against the rudeness of reality. Obviously, meeting an arbitrary metric shouldn't absolve you of the responsibility to make your own risk decisions as appropriate to your business and your customers, and after having done so it doesn't absolve you of the responsibility to execute those risk decisions properly. Compound this absurd notion that PCI compliance divests you of core custodian responsibilities with the questionable value of PCI itself and we've got the PCI council helping all of us into an overall worse security situation, not a better one, regardless of intent. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
