[Dataloss] Best Western Response
Jamie C. Pole
jpole at jcpa.com
Tue Aug 26 21:33:50 UTC 2008
When the standard doesn't reflect the reality of the situation, I
would argue that credit card processors are FAR better off having a
real security assessment done by competent consultant resources,
rather than have automated tools run by "certified" individuals that
don't have the knowledge to interpret the results.
I agree that something is better than nothing, but the PCI DSS program
gives nothing but a false sense of security. The processors should be
made to very clearly understand that PCI compliance is only meaningful
to the PCI people - it does not reflect whether or not the environment
can be breached in the real world. I have yet to see a PCI DSS
certified environment that would allow me to sleep at night if I was
responsible for it.
Jamie
On Aug 26, 2008, at 5:28 PM, Michael Hill, CITRMS wrote:
> No matter what anybody or any government or industry puts together,
> there is no perfect system/solution. But taking reasonable steps to
> safeguard the data compared to NOT doing anything should count for
> something.
>
>
>
> Michael Hill
> Certified Identity Theft Risk Management Specialist
> www.idtheft101.net
> 404-216-3751
>
> INFORMATION SECURITY | RISK MANAGEMENT | COMPLIANCE | FORENSICS |
> TRAINING
>
>
> "If You Think You're Not At Risk, Think Again!"
More information about the Dataloss
mailing list