Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Compliance Is Wasted Money, Study Finds

From: Christian Sciberras <uuf6429 () gmail com>
Date: Sat, 24 Apr 2010 01:16:12 +0200
Hmm. Point taken.

Think I'm getting some sleep...


G'night.





On Sat, Apr 24, 2010 at 1:12 AM, Thor (Hammer of God)
<Thor () hammerofgod com>wrote:


You spend the time, resources, and money because you are contracted to.
You are required to.  You HAVE to.  That’s what we’ve all been getting on
about – you don’t get to choose, you have to if you want to continue to
process credit card information yourself.



If you want to use a gateway service or other processor, then fine – do
that.  No harm, no foul.  You just pay more.  If you want to do yourself,
you have to be PCI certified.  It’s just that simple.



t



*From:* Christian Sciberras [mailto:uuf6429 () gmail com]
*Sent:* Friday, April 23, 2010 3:57 PM

*To:* Thor (Hammer of God)
*Cc:* Mike Hale; Stephen Mullins; full-disclosure;
security-basics () securityfocus com
*Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds



I just want to emphasize on a point you mentioned right now:

It means companies illustrate a *base* of practices required to handle
consumer credit card data.

So why waste resources, time and money when one would be better off with
proper security measures?
As Mr Hale said, it's a piece of cake if you had the right stuff already
going. Problem is, it's a piece of expensive cake.

I just want[ed] to make my point clear, I don't see any discussion into
this at all.
As I already said, it is not my intention to argue with the original
message.

Cheers.

On Sat, Apr 24, 2010 at 12:46 AM, Thor (Hammer of God) <
Thor () hammerofgod com> wrote:

OK – so, when you say “to use PCI” what do you mean?  I get the feeling
that you are equating being “PCI certified” as something people just “get”
to show other people they are “secure.”  Hence your use of “marketing
propaganda.”



People don’t go through an audit and get PCI certified so that they can
claim they are secure.  It doesn’t work like that.  PCI (Payment Card
Industry) compliances is what people HAVE to do, as in FORCED to do whether
they want to or not, in order to be able to process credit cards.  If you
process less than 1 million xactions per year, you can “self audit.”  Can
you lie?  Sure.  But you’ll get your ability to process payments yanked if
they catch you.  More than that requires an auditor.  If that auditor finds
you have horrible security controls in place, you will fail.  If they pass
you anyway, they can lose their certification to audit.  If you fail, you
have x time to get with the program and be audited again.



It’s just a way for the CC industry to make sure the people handling card
info follow best practices for security.  That’s all it means – it is a
certification FOR the industry BY the industry.  No one ever said it mean
people had “real security.”  It means companies illustrate a base of
practices required to handle consumer credit card data.  That’s it.



And I totally agree with Mike Hale’s comments about “if you are really
secure, as in ‘already secure’ then it’s cake.”  I don’t know that I would
say “cake” as it depends on the scope of audit, but he’s right.  If you
already have a drive to secure your infrastructure, then PCI should be
easy.  My requirements for security are far more strict than PCI.  Yours may
or may not be, so you’ll have to adjust as necessary.



Regarding code, I do believe that in PCI audits for dev that you have to
illustrate an SDL, in which case things like XSS and BOs and such would be
part of.



That’s the skinny on PCI J



t



*From:* Christian Sciberras [mailto:uuf6429 () gmail com]
*Sent:* Friday, April 23, 2010 3:34 PM


*To:* Thor (Hammer of God)

*Cc:* Mike Hale; Stephen Mullins; full-disclosure;
security-basics () securityfocus com


*Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds



No problem with that.

1) No.
2) Planning to, but no.
3) Heavens no.
4) I've looked into whether it was into our best interest to use PCI. (it
was decided that it wasn't worth the trouble)
At that time, I knew about PCI but not its details, at which point we got
someone to explain in detail for us.
The end decision wasn't mine, though.
We do take security as a main concern, however, it is preferred to have a
more realistic approach to security rather then restrict employees' access
(by signing some oath..).

Regards,
Christian Sciberras.


On Sat, Apr 24, 2010 at 12:22 AM, Thor (Hammer of God) <
Thor () hammerofgod com> wrote:

Marketing propaganda?  I have no idea what you are talking about.



Before commenting on PCI not helping at all and at the most being a false
sense of security, let me ask:

1)      Does the company you work for perform PCI audits?

2)      Is the company you work for required to undergo PCI audits?

3)      Are you certified to be able to perform a PCI audit?

4)      Have you ever been directly involved with, as in contributing to,
a PCI audit, and if so, in what capacity?



I would like to see some truthful expansion on the answers to those
questions before continuing dialog about if PCI contributes to security or
not.



t



*From:* Christian Sciberras [mailto:uuf6429 () gmail com]
*Sent:* Friday, April 23, 2010 3:02 PM
*To:* Mike Hale
*Cc:* Stephen Mullins; full-disclosure; security-basics () securityfocus com;
Thor (Hammer of God)


*Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds



If you strive for security, and weave that into your network,
complying with PCI should be cake.

Uhm.. No. NO. PCI is an unnecessary hassle. What makes signing a document
any more secure then having server facing the wild of the net?

Truth is, PCI doesn't help in security at all. It at most a sense of false
security (and at least serves as a recreational exercise for auditors).

Thor, I'm not arguing with the article, since I didn't read it, and I won't
bother to. I just want to point out some hard facts about PCI/DSS which you
call "no big deal".
I surely agree with that, but what is not a big deal for you doesn't mean
it ain't for the rest of the world.
What stops an uninformed programmer from complying with PCI/DSS (or at
least, think to) and leave  RFI/XSS/whatever holes everywhere?
That said, security flaws are just about everywhere so no need to get
critical about it. For now at least.

The point isn't "who" should be using credit cards or not, it's a matter of
security.

I find it strange that you're excusing marketing propaganda.

Sincere regards,
Christian Sciberras.

On Fri, Apr 23, 2010 at 7:42 PM, Mike Hale <eyeronic.design () gmail com>
wrote:

Look at the PCI requirements.

What's unreasonable about them?  Which portions are *NOT* part of
having a secure network?

If you strive for security, and weave that into your network,
complying with PCI should be cake.


On Fri, Apr 23, 2010 at 10:40 AM, Stephen Mullins
<steve.mullins.work () gmail com> wrote:

I don't see what the hubbub is


Some people in the information security industry actually care about
securing systems and the information they contain rather than filling
in check boxes.  Compliance may ensure a minimum standard is met, but
it does not ensure or imply that real security is being maintained at
an organization.

As you say, PCI has become a cost of doing business whereas having a
secure network is apparently not a cost of doing business.  This is a
problem.

Crazy notion, I know.

On Fri, Apr 23, 2010 at 1:18 PM, Thor (Hammer of God)
<Thor () hammerofgod com> wrote:

How can you say it is “wasted”? It doesn’t matter if you are a “fan” of

it

or not, in the same way that it doesn’t matter if you are a “fan” of the

4%

surcharge retail establishments pay to accept the credit card as

payment.

Using your logic, you would way it is “wasted money,” and might bring

into

question the “value” of the surcharge, etc.  It is simply a cost of

doing

business.



If you choose to offload processing to a payment gateway, then that will
also incur a cost.  Depending on your volume, that cost may or may not

be

higher than you processing them yourself while complying to standards.

The

implementation of actual security measures will be different.  But you

can’t

“handle” credit cards in the classic sense of the word without complying
with PCI.  If you pass along the transaction to a gateway, you are not
handling it.  If you DO handle it, then you have to comply with PCI.  If

you

process less than 1 million transactions a year, you can “self audit.”

If

you process more, you have to be audit by a PCI auditor.



None of this MEANS you are secure, it means you comply.  If you don’t

like

PCI, then don’t process credit cards, or come up with your own.  I still
don’t really see what all the hubbub is about here.



t



From: Christian Sciberras [mailto:uuf6429 () gmail com]
Sent: Friday, April 23, 2010 9:29 AM
To: Thor (Hammer of God)
Cc: Christopher Gilbert; Mike Hale; full-disclosure;
security-basics () securityfocus com
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds



it is simply part of the cost of doing business in that market.
A.k.a. wasted money. Truth be told, I'm no fan of PCI.
Other companies get the same functionality (accept the storage of credit
cards) without worrying about PCI/DSS (e.g. through Payment Gateways).
In the end, as a service, what do I want, an inventory of credit cards,

or a

stable payment system? The later I guess.
As to security, it totally depends on implementation; one can handle

credit

cards without the need of standards compliance.

My two cents.

Regards,
Christian Sciberras.


On Fri, Apr 23, 2010 at 6:07 PM, Thor (Hammer of God) <

Thor () hammerofgod com>

wrote:

Another thing that I think people fail to keep in mind is that when it

comes

to PCI, it is part of a contractual agreement between the entity and

card

facility they are working with.   If a business wants to accept credit

cards

as a means of payment (based on volume) then part of their agreement is

that

they must undergo compliance to a standard implemented by the industry.

I

don’t know why people get all emotional about it and throw up their

hands

with all the “this is wasted money” positioning – it’s not wasted at

all; it

is simply part of the cost of doing business in that market.



t



From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of

Christopher

Gilbert
Sent: Thursday, April 22, 2010 4:48 PM
To: Mike Hale
Cc: full-disclosure; security-basics () securityfocus com
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds



The paper concludes that companies are underinvesting in--or improperly
prioritizing--the protection of their secrets. Nowhere does it state

that

the money spent on compliance is money wasted.

On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale <eyeronic.design () gmail com>
wrote:

I find the findings completely flawed.  Am I missing something?



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



--
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

_______________________________________________

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/








_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: