lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <x2x3af3d47c1004230928hb068621cwfd0c7b1f94c54b59@mail.gmail.com>
Date: Fri, 23 Apr 2010 18:28:31 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: "Thor (Hammer of God)" <Thor@...merofgod.com>
Cc: "security-basics@...urityfocus.com" <security-basics@...urityfocus.com>,
	full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Compliance Is Wasted Money, Study Finds

it is simply part of the cost of doing business in that market.
A.k.a. wasted money. Truth be told, I'm no fan of PCI.
Other companies get the same functionality (accept the storage of credit
cards) without worrying about PCI/DSS (e.g. through Payment Gateways).
In the end, as a service, what do I want, an inventory of credit cards, or a
stable payment system? The later I guess.
As to security, it totally depends on implementation; one can handle credit
cards without the need of standards compliance.

My two cents.

Regards,
Christian Sciberras.



On Fri, Apr 23, 2010 at 6:07 PM, Thor (Hammer of God)
<Thor@...merofgod.com>wrote:

> Another thing that I think people fail to keep in mind is that when it
> comes to PCI, it is part of a contractual agreement between the entity and
> card facility they are working with.   If a business wants to accept credit
> cards as a means of payment (based on volume) then part of their agreement
> is that they must undergo compliance to a standard implemented by the
> industry.  I don’t know why people get all emotional about it and throw up
> their hands with all the “this is wasted money” positioning – it’s not
> wasted at all; it is simply part of the cost of doing business in that
> market.
>
>
>
> t
>
>
>
> *From:* full-disclosure-bounces@...ts.grok.org.uk [mailto:
> full-disclosure-bounces@...ts.grok.org.uk] *On Behalf Of *Christopher
> Gilbert
> *Sent:* Thursday, April 22, 2010 4:48 PM
> *To:* Mike Hale
> *Cc:* full-disclosure; security-basics@...urityfocus.com
> *Subject:* Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
>
>
>
> The paper concludes that companies are underinvesting in--or improperly
> prioritizing--the protection of their secrets. Nowhere does it state that
> the money spent on compliance is money wasted.
>
> On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale <eyeronic.design@...il.com>
> wrote:
>
> I find the findings completely flawed.  Am I missing something?
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ