On 02/08/2014 07:15 AM, Eero Volotinen wrote:

    Also, he stores credit card information on his workstations
    and server.  (PCI would freak out.)


Please report this client to VISA.


Hi Eero,

You could always do it for me.  Tell them everyone, except
one or two in the entire state of Nevada has blown off
PCI.  It is the law in Nevada too.  First state to pass it.

I only have one client that follows the PCI paper chase.
The rest, when they get a hold of all the hoops, simply
pencil whip it.  It is less costly to risk a possible
breach and go into bankruptcy then jump through all the
impossible hoops, which are so designed that they never
will be able to pass an audit anyway.  So why jump through
the hoops?

Keep in mind that the largest exploit is the human
factor (human engineering viruses).  There is only
one question on the PCI questionnaire about it (employee
education).  There a hundreds of questions/hoops that
will be of very, very little help (but lots of expense).
Not all of them, fortunately.  PCI is all about shifting
liability to the merchant.

Now when I said "stores credit card data on their computers",
don't be confused.  They are indeed talking about the eventual
destination, but they are also talking about every step
in the path getting there.  So, if you enter a credit card
using a keyboard, a card swiper (also a keyboard), a
scanner, etc., the number is stored in memory in the operating
system well before it gets to its eventual destination.  As
these locations in memory are known locations and can be
harvested with a memory scrubber (the Target exploit) and/or
a keystroke logger, you "are" indeed storing them on your

Funny, on they link you sent, they kept mixing up "breached"
and "breeched".  "Breeched" is your rear end.  (Not that "I"
ever misspell anything!  Hey!  I went to publik skool.)


Computers are like air conditioners.
They malfunction when you open windows

Reply via email to