| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 11 Apr 2010 01:00:56 +1200 From: Nick FitzGerald <nick@...us-l.demon.co.uk> To: Full-disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: Compliance Is Wasted Money, Study Finds Tracy Reed to Digital X: > > Having just gone through a PCI audit I can safely say a few things: > > Not the fault of PCI. Perhaps you should consider a better auditor. Ummmmm -- isn't the point that PCI is set up such that lowest (common denominator amongst) auditors are actually the ones that define what "PCI compliance" really is? As an earlier poster already pointed out, all the vaguely recent major credit card data theft cases have involved "fully PCI compliant" (as defined by that perpetrator's PCI auditors) card processors, etc... What part of "that's really fsck'ed-up" did you not understand? ... Sure, you _can_ retain a "morally [and maybe even technically] superior" PCI auditor, but WTF does that buy you other than a bigger bill for an essentially meaningless "certification"? Did any of those massive "PCI accredited" fsck-up operators lose their accreditations? Did any of them have to give up there CC processing business activities as a result of their _proven_ (by the mostly generally trivial "hacks" that fsck'ed them up) poor practice? So Why would any other "must be PCI compliant" operators even consider spending more money than the lowliest of PCI auditors charge? Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists