Re: Best Western Response

[security curmudgeon <jericho () attrition org>]

: I agree that some "lowest common denominator" can be helpful, but not at 
: the expense of and actual security program.  Too many processors take 
: their PCI certificate "to the bank", and don't seem to bother doing 
: anything else.
: 
: That is the fatal flaw in the program.
: 
: In addition, the way the PCI QSA program is structured ensures that 
: competent security consultants will stay out of it.  Why would anyone 
: want to sign on to a program where you have essentially unlimited 
: liability, but are forced to base your certification decisions on a 
: ridiculous standard?  AND you have to pay them $20,000 initially, and 
: $10,000 per year afterward...  Where does that money go???

After that, you get to bid against the LCD who does their automated scans 
w/ little to no validation for pennies on the dollar. A company I used to 
work for was an ASV for a while, but we only did the work as a loss 
leader to get in the door and then upsell. That was the *only* value of 
doing PCI work.
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml