Home page logo
/

basics logo Security Basics mailing list archives

Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
From: Mike Hale <eyeronic.design () gmail com>
Date: Fri, 23 Apr 2010 10:42:36 -0700

Look at the PCI requirements.

What's unreasonable about them?  Which portions are *NOT* part of
having a secure network?

If you strive for security, and weave that into your network,
complying with PCI should be cake.

On Fri, Apr 23, 2010 at 10:40 AM, Stephen Mullins
<steve.mullins.work () gmail com> wrote:
I don't see what the hubbub is

Some people in the information security industry actually care about
securing systems and the information they contain rather than filling
in check boxes.  Compliance may ensure a minimum standard is met, but
it does not ensure or imply that real security is being maintained at
an organization.

As you say, PCI has become a cost of doing business whereas having a
secure network is apparently not a cost of doing business.  This is a
problem.

Crazy notion, I know.

On Fri, Apr 23, 2010 at 1:18 PM, Thor (Hammer of God)
<Thor () hammerofgod com> wrote:
How can you say it is “wasted”? It doesn’t matter if you are a “fan” of it
or not, in the same way that it doesn’t matter if you are a “fan” of the 4%
surcharge retail establishments pay to accept the credit card as payment.
Using your logic, you would way it is “wasted money,” and might bring into
question the “value” of the surcharge, etc.  It is simply a cost of doing
business.



If you choose to offload processing to a payment gateway, then that will
also incur a cost.  Depending on your volume, that cost may or may not be
higher than you processing them yourself while complying to standards.  The
implementation of actual security measures will be different.  But you can’t
“handle” credit cards in the classic sense of the word without complying
with PCI.  If you pass along the transaction to a gateway, you are not
handling it.  If you DO handle it, then you have to comply with PCI.  If you
process less than 1 million transactions a year, you can “self audit.”  If
you process more, you have to be audit by a PCI auditor.



None of this MEANS you are secure, it means you comply.  If you don’t like
PCI, then don’t process credit cards, or come up with your own.  I still
don’t really see what all the hubbub is about here.



t



From: Christian Sciberras [mailto:uuf6429 () gmail com]
Sent: Friday, April 23, 2010 9:29 AM
To: Thor (Hammer of God)
Cc: Christopher Gilbert; Mike Hale; full-disclosure;
security-basics () securityfocus com
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds



it is simply part of the cost of doing business in that market.
A.k.a. wasted money. Truth be told, I'm no fan of PCI.
Other companies get the same functionality (accept the storage of credit
cards) without worrying about PCI/DSS (e.g. through Payment Gateways).
In the end, as a service, what do I want, an inventory of credit cards, or a
stable payment system? The later I guess.
As to security, it totally depends on implementation; one can handle credit
cards without the need of standards compliance.

My two cents.

Regards,
Christian Sciberras.


On Fri, Apr 23, 2010 at 6:07 PM, Thor (Hammer of God) <Thor () hammerofgod com>
wrote:

Another thing that I think people fail to keep in mind is that when it comes
to PCI, it is part of a contractual agreement between the entity and card
facility they are working with.   If a business wants to accept credit cards
as a means of payment (based on volume) then part of their agreement is that
they must undergo compliance to a standard implemented by the industry.  I
don’t know why people get all emotional about it and throw up their hands
with all the “this is wasted money” positioning – it’s not wasted at all; it
is simply part of the cost of doing business in that market.



t



From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Christopher
Gilbert
Sent: Thursday, April 22, 2010 4:48 PM
To: Mike Hale
Cc: full-disclosure; security-basics () securityfocus com
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds



The paper concludes that companies are underinvesting in--or improperly
prioritizing--the protection of their secrets. Nowhere does it state that
the money spent on compliance is money wasted.

On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale <eyeronic.design () gmail com>
wrote:

I find the findings completely flawed.  Am I missing something?



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




-- 
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault