Re: The PCI sky *isn't* falling!

[Paul Ferguson <fergdawgster () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Mar 23, 2009 at 10:13 PM, Amrit Williams <johndoe321 () gmail com>
wrote:

> I can see a POV that states that PCI has helped organizations that lack
> even a base level of security to find a path towards a base level of
> things they could check for like whether or not they have updated their
> AV - not that it makes them more or less secure or more less prone to a
> breach, just a set of things they can check for, but to say that "PCI DSS
> did more to information security than anything else since..." is
> bordering on ridiculous at best .

Personally, I think PCI DSS "compliance" provides a minimalistic security
blanket, unfortunately.

There is a common agreement amongst many, many security professionals
(including myself) that too many organizations do what they can to be PCI
compliant at the time of their assessment, but do nothing more. And fact,
may even do less, which puts them (and their customers) at unnecessary
risk.

One of my favorite quotes (I forget who to attribute) on this is
(paraphrased) "PCI compliance transfers the risk, it doesn't mitigate it."

$.02,

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFJyHJMq1pz9mNUZTMRAm8eAJ4jDK1lNCCX1MFczJvzEGTyKikCkACfSxiC
eqmTIrTwYyRiMVBJLJEpfDs=
=BleX
-----END PGP SIGNATURE-----

-- 
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.