Home page logo

basics logo Security Basics mailing list archives

Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
From: Mike Hale <eyeronic.design () gmail com>
Date: Fri, 23 Apr 2010 10:20:35 -0700

You don't think in-house payment gateways can be as stable as third
party gateways?

On Fri, Apr 23, 2010 at 9:28 AM, Christian Sciberras <uuf6429 () gmail com> wrote:
it is simply part of the cost of doing business in that market.
A.k.a. wasted money. Truth be told, I'm no fan of PCI.
Other companies get the same functionality (accept the storage of credit
cards) without worrying about PCI/DSS (e.g. through Payment Gateways).
In the end, as a service, what do I want, an inventory of credit cards, or a
stable payment system? The later I guess.
As to security, it totally depends on implementation; one can handle credit
cards without the need of standards compliance.

My two cents.

Christian Sciberras.

On Fri, Apr 23, 2010 at 6:07 PM, Thor (Hammer of God) <Thor () hammerofgod com>

Another thing that I think people fail to keep in mind is that when it
comes to PCI, it is part of a contractual agreement between the entity and
card facility they are working with.   If a business wants to accept credit
cards as a means of payment (based on volume) then part of their agreement
is that they must undergo compliance to a standard implemented by the
industry.  I don’t know why people get all emotional about it and throw up
their hands with all the “this is wasted money” positioning – it’s not
wasted at all; it is simply part of the cost of doing business in that


From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Christopher
Sent: Thursday, April 22, 2010 4:48 PM
To: Mike Hale
Cc: full-disclosure; security-basics () securityfocus com
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds

The paper concludes that companies are underinvesting in--or improperly
prioritizing--the protection of their secrets. Nowhere does it state that
the money spent on compliance is money wasted.

On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale <eyeronic.design () gmail com>

I find the findings completely flawed.  Am I missing something?

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]