[Dataloss] Best Western Response
Michael Hill, CITRMS
mhill at idtexperts.com
Tue Aug 26 21:28:01 UTC 2008
No matter what anybody or any government or industry puts together, there is
no perfect system/solution. But taking reasonable steps to safeguard the
data compared to NOT doing anything should count for something.
Michael Hill
Certified Identity Theft Risk Management Specialist
www.idtheft101.net
404-216-3751
INFORMATION SECURITY | RISK MANAGEMENT | COMPLIANCE | FORENSICS | TRAINING
"If You Think You're Not At Risk, Think Again!"
NOTICE:
This email and any attachment to it is confidential and protected by law and
intended for the use of the individual(s) or entity named on the email.
This information and all email information from the sender is not legal
advice nor legal representation and should not be construed as legal advice
nor legal representation. Check with your attorney in your State for legal
advice. If the reader of this message is not the intended recipient, you are
hereby notified that any dissemination or distribution of this communication
is prohibited. If you have received this communication in error, please
notify the sender via return email and delete it completely from your email
system. If you have printed a copy of the email, please destroy it
immediately.
----- Original Message -----
From: "Jamie C. Pole" <jpole at jcpa.com>
To: "Harris, Michael C." <HarrisMC at health.missouri.edu>
Cc: <dataloss at attrition.org>
Sent: Tuesday, August 26, 2008 4:21 PM
Subject: Re: [Dataloss] Best Western Response
>
> The PCI DSS program is a joke. Pure & simple. Definitely broken,
> sometimes ignored.
>
> I teach a LOT of public and private classes on auditing and ethical
> hacking/penetration analysys, and it never ceases to amaze me how
> little the people with the QSA designation actually know. Most of
> them seem to be former IT auditors - that particular bar (QSA) is set
> W-A-Y too low.
>
> Think about it - when was the last time you heard about a security
> breach involving credit card processing where the target was NOT PCI-
> compliant?
>
> All of the good ones I've worked on recently have had PCI
> certification in place. That certification has meant precisely zilch
> in the overall scheme of things.
>
> The fact is that the PCI DSS program itself is flawed, and provides
> nothing more than a false sense of security. When certain "security"
> companies commoditize "network scanning" to the point that it is an
> entirely automated effort, the buyer deserves what they are going to
> get.
>
> The number of breaches involving PCI-compliant entities should speak
> for itself...
>
> Jamie
More information about the Dataloss
mailing list