funsec mailing list archives
Re: The PCI sky *isn't* falling!
From: Paul Ferguson <fergdawgster () gmail com>
Date: Mon, 23 Mar 2009 22:40:37 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Mar 23, 2009 at 10:13 PM, Amrit Williams <johndoe321 () gmail com> wrote:
I can see a POV that states that PCI has helped organizations that lack even a base level of security to find a path towards a base level of things they could check for like whether or not they have updated their AV - not that it makes them more or less secure or more less prone to a breach, just a set of things they can check for, but to say that "PCI DSS did more to information security than anything else since..." is bordering on ridiculous at best .
Personally, I think PCI DSS "compliance" provides a minimalistic security blanket, unfortunately. There is a common agreement amongst many, many security professionals (including myself) that too many organizations do what they can to be PCI compliant at the time of their assessment, but do nothing more. And fact, may even do less, which puts them (and their customers) at unnecessary risk. One of my favorite quotes (I forget who to attribute) on this is (paraphrased) "PCI compliance transfers the risk, it doesn't mitigate it." $.02, - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFJyHJMq1pz9mNUZTMRAm8eAJ4jDK1lNCCX1MFczJvzEGTyKikCkACfSxiC eqmTIrTwYyRiMVBJLJEpfDs= =BleX -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- The PCI sky *isn't* falling! Rob, grandpa of Ryan, Trevor, Devon & Hannah (Mar 23)
- Re: The PCI sky *isn't* falling! Todd Parker (Mar 23)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 23)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 23)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 23)
- Re: The PCI sky *isn't* falling! Alex Eckelberry (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 23)
- Re: The PCI sky *isn't* falling! security curmudgeon (Mar 23)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 23)
- Re: The PCI sky *isn't* falling! Amrit Williams (Mar 23)
- Re: The PCI sky *isn't* falling! Paul Ferguson (Mar 23)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 23)
- Re: The PCI sky *isn't* falling! security curmudgeon (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 24)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 24)
- Re: The PCI sky *isn't* falling! Todd Parker (Mar 23)
- Re: The PCI sky *isn't* falling! Justin D. Scott (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 24)
- Re: The PCI sky *isn't* falling! Justin Scott (Mar 24)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 24)
- security theater is useful, stop abusing it [was: PCI] Gadi Evron (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] Benjamin April (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] Imri Goldberg (Mar 24)