Penetration Testing mailing list archives
Re: Heartland Gets Religion on Security
From: rajat swarup <rajats () gmail com>
Date: Fri, 19 Jun 2009 16:38:09 -0400
On Thu, Jun 18, 2009 at 7:02 AM, Jeffrey Walton<noloader () gmail com> wrote:
From the folks at Attrition and the DataLossDB. ---------- Forwarded message ---------- Carr says that one lesson he's learned from the breach is that the industry's security standard, called Payment Card Industry or PCI, doesn't go far enough. It's the "lowest common denominator," he says, adding that the audit didn't detect the vulnerability that led to the hack even though it had existed for years.
It's interesting to see their perspective but I'd like to think that the assessor didn't do a thorough job either of reviewing them. I could be wrong too! Not to place faith in the PCI DSS or anything but I'm yet to see a *truly* compliant merchant being breached. Media reports led me to believe that the ones that were compliant and breached had been weakly assessed on certain aspects of the assessment. Just a thought! -- Rajat Swarup http://rajatswarup.blogspot.com/ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Fwd: Heartland Gets Religion on Security Jeffrey Walton (Jun 18)
- Re: Heartland Gets Religion on Security rajat swarup (Jun 20)
- Re: Heartland Gets Religion on Security Jeffrey Walton (Jun 20)
- Re: Heartland Gets Religion on Security security curmudgeon (Jun 20)
- Re: Heartland Gets Religion on Security Jeffrey Walton (Jun 20)
- Re: Heartland Gets Religion on Security rajat swarup (Jun 20)