Re: Fwd: [Dataloss] Network Solutions was PCI compliant before breach

[Valdis.Kletnieks () vt edu]

On Mon, 27 Jul 2009 22:11:08 +0200, Alexandre Dulaunoy said:
> On Mon, Jul 27, 2009 at 8:55 PM, Anton Chuvakin<anton () chuvakin org> wrote:
> > They probably were NOT, contrary to what their spokesperson seem to say.
>
> Network solutions is listed in the PCI DSS Validated Services Providers starting
> of October 31, 2008. The assessor was Payment Software Company (PSC).

Note the vast difference between the following three things:

1) PSC says Network Solutions appears to be compliant, based on their canned
checklist.

2) Network Solutions is actually compliant in both letter and spirit, including
all the nooks and crannies that PSC didn't poke into.

3) Although "fully compliant" is *probably* more secure than "didn't even
think about being compliant", "fully compliant" doesn't therefor imply
"fully secure".

Attachment: _bin
Description:

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.