From: Jamie C. Pole (jpolejcpa.com)
Date: Tue Aug 26 2008 - 16:33:50 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

When the standard doesn't reflect the reality of the situation, I
would argue that credit card processors are FAR better off having a
real security assessment done by competent consultant resources,
rather than have automated tools run by "certified" individuals that
don't have the knowledge to interpret the results.

I agree that something is better than nothing, but the PCI DSS program
gives nothing but a false sense of security. The processors should be
made to very clearly understand that PCI compliance is only meaningful
to the PCI people - it does not reflect whether or not the environment
can be breached in the real world. I have yet to see a PCI DSS
certified environment that would allow me to sleep at night if I was
responsible for it.

Jamie

On Aug 26, 2008, at 5:28 PM, Michael Hill, CITRMS wrote:

> No matter what anybody or any government or industry puts together,
> there is no perfect system/solution. But taking reasonable steps to
> safeguard the data compared to NOT doing anything should count for
> something.
>
>
>
> Michael Hill
> Certified Identity Theft Risk Management Specialist
> www.idtheft101.net
> 404-216-3751
>
> INFORMATION SECURITY | RISK MANAGEMENT | COMPLIANCE | FORENSICS |
> TRAINING
>
>
> "If You Think You're Not At Risk, Think Again!"

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]