Re: Best Western Response

["Jamie C. Pole" <jpole () jcpa com>]

When the standard doesn't reflect the reality of the situation, I  
would argue that credit card processors are FAR better off having a  
real security assessment done by competent consultant resources,  
rather than have automated tools run by "certified" individuals that  
don't have the knowledge to interpret the results.

I agree that something is better than nothing, but the PCI DSS program  
gives nothing but a false sense of security.  The processors should be  
made to very clearly understand that PCI compliance is only meaningful  
to the PCI people - it does not reflect whether or not the environment  
can be breached in the real world.  I have yet to see a PCI DSS  
certified environment that would allow me to sleep at night if I was  
responsible for it.

Jamie


On Aug 26, 2008, at 5:28 PM, Michael Hill, CITRMS wrote:

> No matter what anybody or any government or industry puts together,  
> there is no perfect system/solution.  But taking reasonable steps to  
> safeguard the data compared to NOT doing anything should count for  
> something.
>
>
>
> Michael Hill
> Certified Identity Theft Risk Management Specialist
> www.idtheft101.net
> 404-216-3751
>
> INFORMATION SECURITY | RISK MANAGEMENT | COMPLIANCE | FORENSICS |  
> TRAINING
>
>
> "If You Think You're Not At Risk, Think Again!"

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml