> My point isn't about a particular section, nor whether the amount of > experience I have in PCI DSS compliance (which is next to novice). >
So we can agree that you're arguing about something with which you have no experience? > The point is, what s PCI aiming at? > It's on the first substantive page of the document .. to wit : "The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally." > Real security Again, I ask "what is 'real security'?". > or just a way companies can excuse their incompetence by citing full PCI > compliance? > If you "self-audit" and just check the boxes because you have a box that says "firewall" on it and another that says "IDS" and so forth, then yes .. it's just excusing incompetence .. but any "real" auditor would be asking you about change management for those assets, who has access to them and why, how logs are reviewed and by whom, etc. There's 12 basic points in the 1.2 spec, none of which contradict current best-practice for network design. Cheers, Michael Holstein Cleveland State University PS: This is starting to sound like the discussion many of us have with Mac end-users .. the one that goes "but Mac's don't get viruses". _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/