Re: Heartland Gets Religion on Security

[rajat swarup <rajats () gmail com>]

On Thu, Jun 18, 2009 at 7:02 AM, Jeffrey Walton<noloader () gmail com> wrote:
> From the folks at Attrition and the DataLossDB.
>
> ---------- Forwarded message ----------
>
>  Carr says that one lesson he's learned from the breach is that the
>  industry's security standard, called Payment Card Industry or PCI, doesn't
>  go far enough. It's the "lowest common denominator," he says, adding that
>  the audit didn't detect the vulnerability that led to the hack even though
>  it had existed for years.
It's interesting to see their perspective but I'd like to think that
the assessor didn't do a thorough job either of reviewing them.  I
could be wrong too!  Not to place faith in the PCI DSS or anything but
I'm yet to see a *truly* compliant merchant being breached.  Media
reports led me to believe that the ones that were compliant and
breached had been weakly assessed on certain aspects of the
assessment.

Just a thought!
-- 
Rajat Swarup

http://rajatswarup.blogspot.com/

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------