Hmm. Point taken. Think I'm getting some sleep...
G'night. On Sat, Apr 24, 2010 at 1:12 AM, Thor (Hammer of God) <t...@hammerofgod.com>wrote: > You spend the time, resources, and money because you are contracted to. > You are required to. You HAVE to. That’s what we’ve all been getting on > about – you don’t get to choose, you have to if you want to continue to > process credit card information yourself. > > > > If you want to use a gateway service or other processor, then fine – do > that. No harm, no foul. You just pay more. If you want to do yourself, > you have to be PCI certified. It’s just that simple. > > > > t > > > > *From:* Christian Sciberras [mailto:uuf6...@gmail.com] > *Sent:* Friday, April 23, 2010 3:57 PM > > *To:* Thor (Hammer of God) > *Cc:* Mike Hale; Stephen Mullins; full-disclosure; > security-bas...@securityfocus.com > *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds > > > > I just want to emphasize on a point you mentioned right now: > > It means companies illustrate a *base* of practices required to handle > consumer credit card data. > > So why waste resources, time and money when one would be better off with > proper security measures? > As Mr Hale said, it's a piece of cake if you had the right stuff already > going. Problem is, it's a piece of expensive cake. > > I just want[ed] to make my point clear, I don't see any discussion into > this at all. > As I already said, it is not my intention to argue with the original > message. > > Cheers. > > On Sat, Apr 24, 2010 at 12:46 AM, Thor (Hammer of God) < > t...@hammerofgod.com> wrote: > > OK – so, when you say “to use PCI” what do you mean? I get the feeling > that you are equating being “PCI certified” as something people just “get” > to show other people they are “secure.” Hence your use of “marketing > propaganda.” > > > > People don’t go through an audit and get PCI certified so that they can > claim they are secure. It doesn’t work like that. PCI (Payment Card > Industry) compliances is what people HAVE to do, as in FORCED to do whether > they want to or not, in order to be able to process credit cards. If you > process less than 1 million xactions per year, you can “self audit.” Can > you lie? Sure. But you’ll get your ability to process payments yanked if > they catch you. More than that requires an auditor. If that auditor finds > you have horrible security controls in place, you will fail. If they pass > you anyway, they can lose their certification to audit. If you fail, you > have x time to get with the program and be audited again. > > > > It’s just a way for the CC industry to make sure the people handling card > info follow best practices for security. That’s all it means – it is a > certification FOR the industry BY the industry. No one ever said it mean > people had “real security.” It means companies illustrate a base of > practices required to handle consumer credit card data. That’s it. > > > > And I totally agree with Mike Hale’s comments about “if you are really > secure, as in ‘already secure’ then it’s cake.” I don’t know that I would > say “cake” as it depends on the scope of audit, but he’s right. If you > already have a drive to secure your infrastructure, then PCI should be > easy. My requirements for security are far more strict than PCI. Yours may > or may not be, so you’ll have to adjust as necessary. > > > > Regarding code, I do believe that in PCI audits for dev that you have to > illustrate an SDL, in which case things like XSS and BOs and such would be > part of. > > > > That’s the skinny on PCI J > > > > t > > > > *From:* Christian Sciberras [mailto:uuf6...@gmail.com] > *Sent:* Friday, April 23, 2010 3:34 PM > > > *To:* Thor (Hammer of God) > > *Cc:* Mike Hale; Stephen Mullins; full-disclosure; > security-bas...@securityfocus.com > > > *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds > > > > No problem with that. > > 1) No. > 2) Planning to, but no. > 3) Heavens no. > 4) I've looked into whether it was into our best interest to use PCI. (it > was decided that it wasn't worth the trouble) > At that time, I knew about PCI but not its details, at which point we got > someone to explain in detail for us. > The end decision wasn't mine, though. > We do take security as a main concern, however, it is preferred to have a > more realistic approach to security rather then restrict employees' access > (by signing some oath..). > > Regards, > Christian Sciberras. > > > On Sat, Apr 24, 2010 at 12:22 AM, Thor (Hammer of God) < > t...@hammerofgod.com> wrote: > > Marketing propaganda? I have no idea what you are talking about. > > > > Before commenting on PCI not helping at all and at the most being a false > sense of security, let me ask: > > 1) Does the company you work for perform PCI audits? > > 2) Is the company you work for required to undergo PCI audits? > > 3) Are you certified to be able to perform a PCI audit? > > 4) Have you ever been directly involved with, as in contributing to, > a PCI audit, and if so, in what capacity? > > > > I would like to see some truthful expansion on the answers to those > questions before continuing dialog about if PCI contributes to security or > not. > > > > t > > > > *From:* Christian Sciberras [mailto:uuf6...@gmail.com] > *Sent:* Friday, April 23, 2010 3:02 PM > *To:* Mike Hale > *Cc:* Stephen Mullins; full-disclosure; security-bas...@securityfocus.com; > Thor (Hammer of God) > > > *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds > > > > If you strive for security, and weave that into your network, > complying with PCI should be cake. > > Uhm.. No. NO. PCI is an unnecessary hassle. What makes signing a document > any more secure then having server facing the wild of the net? > > Truth is, PCI doesn't help in security at all. It at most a sense of false > security (and at least serves as a recreational exercise for auditors). > > Thor, I'm not arguing with the article, since I didn't read it, and I won't > bother to. I just want to point out some hard facts about PCI/DSS which you > call "no big deal". > I surely agree with that, but what is not a big deal for you doesn't mean > it ain't for the rest of the world. > What stops an uninformed programmer from complying with PCI/DSS (or at > least, think to) and leave RFI/XSS/whatever holes everywhere? > That said, security flaws are just about everywhere so no need to get > critical about it. For now at least. > > The point isn't "who" should be using credit cards or not, it's a matter of > security. > > I find it strange that you're excusing marketing propaganda. > > Sincere regards, > Christian Sciberras. > > On Fri, Apr 23, 2010 at 7:42 PM, Mike Hale <eyeronic.des...@gmail.com> > wrote: > > Look at the PCI requirements. > > What's unreasonable about them? Which portions are *NOT* part of > having a secure network? > > If you strive for security, and weave that into your network, > complying with PCI should be cake. > > > On Fri, Apr 23, 2010 at 10:40 AM, Stephen Mullins > <steve.mullins.w...@gmail.com> wrote: > >>I don't see what the hubbub is > > > > Some people in the information security industry actually care about > > securing systems and the information they contain rather than filling > > in check boxes. Compliance may ensure a minimum standard is met, but > > it does not ensure or imply that real security is being maintained at > > an organization. > > > > As you say, PCI has become a cost of doing business whereas having a > > secure network is apparently not a cost of doing business. This is a > > problem. > > > > Crazy notion, I know. > > > > On Fri, Apr 23, 2010 at 1:18 PM, Thor (Hammer of God) > > <t...@hammerofgod.com> wrote: > >> How can you say it is “wasted”? It doesn’t matter if you are a “fan” of > it > >> or not, in the same way that it doesn’t matter if you are a “fan” of the > 4% > >> surcharge retail establishments pay to accept the credit card as > payment. > >> Using your logic, you would way it is “wasted money,” and might bring > into > >> question the “value” of the surcharge, etc. It is simply a cost of > doing > >> business. > >> > >> > >> > >> If you choose to offload processing to a payment gateway, then that will > >> also incur a cost. Depending on your volume, that cost may or may not > be > >> higher than you processing them yourself while complying to standards. > The > >> implementation of actual security measures will be different. But you > can’t > >> “handle” credit cards in the classic sense of the word without complying > >> with PCI. If you pass along the transaction to a gateway, you are not > >> handling it. If you DO handle it, then you have to comply with PCI. If > you > >> process less than 1 million transactions a year, you can “self audit.” > If > >> you process more, you have to be audit by a PCI auditor. > >> > >> > >> > >> None of this MEANS you are secure, it means you comply. If you don’t > like > >> PCI, then don’t process credit cards, or come up with your own. I still > >> don’t really see what all the hubbub is about here. > >> > >> > >> > >> t > >> > >> > >> > >> From: Christian Sciberras [mailto:uuf6...@gmail.com] > >> Sent: Friday, April 23, 2010 9:29 AM > >> To: Thor (Hammer of God) > >> Cc: Christopher Gilbert; Mike Hale; full-disclosure; > >> security-bas...@securityfocus.com > >> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds > >> > >> > >> > >> it is simply part of the cost of doing business in that market. > >> A.k.a. wasted money. Truth be told, I'm no fan of PCI. > >> Other companies get the same functionality (accept the storage of credit > >> cards) without worrying about PCI/DSS (e.g. through Payment Gateways). > >> In the end, as a service, what do I want, an inventory of credit cards, > or a > >> stable payment system? The later I guess. > >> As to security, it totally depends on implementation; one can handle > credit > >> cards without the need of standards compliance. > >> > >> My two cents. > >> > >> Regards, > >> Christian Sciberras. > >> > >> > >> On Fri, Apr 23, 2010 at 6:07 PM, Thor (Hammer of God) < > t...@hammerofgod.com> > >> wrote: > >> > >> Another thing that I think people fail to keep in mind is that when it > comes > >> to PCI, it is part of a contractual agreement between the entity and > card > >> facility they are working with. If a business wants to accept credit > cards > >> as a means of payment (based on volume) then part of their agreement is > that > >> they must undergo compliance to a standard implemented by the industry. > I > >> don’t know why people get all emotional about it and throw up their > hands > >> with all the “this is wasted money” positioning – it’s not wasted at > all; it > >> is simply part of the cost of doing business in that market. > >> > >> > >> > >> t > >> > >> > >> > >> From: full-disclosure-boun...@lists.grok.org.uk > >> [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of > Christopher > >> Gilbert > >> Sent: Thursday, April 22, 2010 4:48 PM > >> To: Mike Hale > >> Cc: full-disclosure; security-bas...@securityfocus.com > >> Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds > >> > >> > >> > >> The paper concludes that companies are underinvesting in--or improperly > >> prioritizing--the protection of their secrets. Nowhere does it state > that > >> the money spent on compliance is money wasted. > >> > >> On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale <eyeronic.des...@gmail.com> > >> wrote: > >> > >> I find the findings completely flawed. Am I missing something? > >> > >> > >> > >> _______________________________________________ > >> Full-Disclosure - We believe in it. > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >> Hosted and sponsored by Secunia - http://secunia.com/ > >> > >> > >> > >> _______________________________________________ > >> Full-Disclosure - We believe in it. > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >> Hosted and sponsored by Secunia - http://secunia.com/ > >> > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > -- > 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 > > _______________________________________________ > > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
