Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Compliance Is Wasted Money, Study Finds

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sun, 11 Apr 2010 01:00:56 +1200
Tracy Reed to Digital X:


Having just gone through a PCI audit I can safely say a few things:


Not the fault of PCI. Perhaps you should consider a better auditor.


Ummmmm -- isn't the point that PCI is set up such that lowest (common 
denominator amongst) auditors are actually the ones that define what 
"PCI compliance" really is?

As an earlier poster already pointed out, all the vaguely recent major 
credit card data theft cases have involved "fully PCI compliant" (as 
defined by that perpetrator's PCI auditors) card processors, etc...

What part of "that's really fsck'ed-up" did you not understand?

...

Sure, you _can_ retain a "morally [and maybe even technically] 
superior" PCI auditor, but WTF does that buy you other than a bigger 
bill for an essentially meaningless "certification"?

Did any of those massive "PCI accredited" fsck-up operators lose their 
accreditations?  Did any of them have to give up there CC processing 
business activities as a result of their _proven_ (by the mostly 
generally trivial "hacks" that fsck'ed them up) poor practice?

So Why would any other "must be PCI compliant" operators even consider 
spending more money than the lowliest of PCI auditors charge?



Regards,

Nick FitzGerald


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: