BreachExchange mailing list archives
Re: Best Western Response
From: "Jamie C. Pole" <jpole () jcpa com>
Date: Tue, 26 Aug 2008 16:21:45 -0400
The PCI DSS program is a joke. Pure & simple. Definitely broken, sometimes ignored. I teach a LOT of public and private classes on auditing and ethical hacking/penetration analysys, and it never ceases to amaze me how little the people with the QSA designation actually know. Most of them seem to be former IT auditors - that particular bar (QSA) is set W-A-Y too low. Think about it - when was the last time you heard about a security breach involving credit card processing where the target was NOT PCI- compliant? All of the good ones I've worked on recently have had PCI certification in place. That certification has meant precisely zilch in the overall scheme of things. The fact is that the PCI DSS program itself is flawed, and provides nothing more than a false sense of security. When certain "security" companies commoditize "network scanning" to the point that it is an entirely automated effort, the buyer deserves what they are going to get. The number of breaches involving PCI-compliant entities should speak for itself... Jamie On Aug 26, 2008, at 2:41 PM, Harris, Michael C. wrote:
There is something missing here, that doesn't true out with the expectations in the PCI standard for a level one payer. Smaller mom and pop level four establishment may slip by, but the mandatory audits of level one folks should be forcing some change across the hospitality industry... Perhaps slowly. It should have been identified as an audit point with a remediation plan in the quarterly or yearly PCI audit. So who was the last quarterly PCI auditor for Best Western? Is PCI that broken or ignored? Level One 6,000,000 transactions per year Annual On-site PCI Data Security Assessment and Quarterly Network Scan Qualified Security Assessor or Internal Audit if signed by Officer of the company Approved Scanning Vendor Level Two 1,000,000 to 6,000,000 transactions Annual On-site PCI Data Security Assessment and Quarterly Network Scan Merchant Approved Scanning Vendor
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- Best Western Response jkouns (Aug 24)
- Re: Best Western Response Domonick T. Weaver (Aug 25)
- <Possible follow-ups>
- Re: Best Western Response *Hobbit* (Aug 25)
- Re: Best Western Response Tom Mahoney (Aug 25)
- Re: Best Western Response macwheel99 (Aug 26)
- Re: Best Western Response Harris, Michael C. (Aug 26)
- Re: Best Western Response DAIL, WILLARD A (Aug 26)
- Re: Best Western Response Jamie C. Pole (Aug 26)
- Re: Best Western Response security curmudgeon (Aug 26)
- Re: Best Western Response Michael Hill, CITRMS (Aug 26)
- Re: Best Western Response Jamie C. Pole (Aug 26)
- Re: Best Western Response Daniel Clemens (Aug 26)
- Re: Best Western Response Jamie C. Pole (Aug 26)
- Re: Best Western Response security curmudgeon (Aug 26)
- Re: Best Western Response Jeffrey Walton (Aug 26)