Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: VISA PCI DSS standard : Good or bad?

From: " " <ngiles () hushmail com>
Date: Wed, 10 May 2006 11:42:49 -0500

Sit through the class and get a good understanding. Then crawl 
under your desk and hope you don't have to do one. "Use your best 
judgement" VISA golden rule right there..


On Wed, 10 May 2006 04:44:17 -0500 "newslist@security-
briefings.com" <newslist () security-briefings com> wrote:

Hello all

Have you already face to the VISA PCI DSS standard?

In case of your IT system store , manipulate, send credit card 
numbers, 
as a security professionals, you need to follow and make compliant 



your 
system with what VISA called the PCI DSS standard. the goal of 
this 
standard is to ensure that credit card of our customers are safe 
from 
evil hackers or employees...Great Idea!

But for us,this standard have some weakness :
- Commercial electronic payment organization designed an insecure 
system  and now they want us to pay to secure their business !
- To much focus on system and network security
- Only a quarterly scan with any VISA compliant scanner such as 
Qualys
- None pentest on application level is required and when you think 



that 
as pentesters we almost always succeed to compromise sensitive 
information such as credit card by a security bug at the 
application 
level , we do notice that it is the most important weakness.

Never mind... VISA PCI DSS is here ...and we must apply it.

There is some slides from Security Professionals Conference 2006 
about 
this topic that's worth to be read : "Two Approaches to PCI DSS 
Compliance"
go to http://www.security-briefings.com  for details

Regards

Newslist [at] security-briefings.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: