[Dataloss] Best Western Response
security curmudgeon
jericho at attrition.org
Tue Aug 26 22:44:06 UTC 2008
: I agree that some "lowest common denominator" can be helpful, but not at
: the expense of and actual security program. Too many processors take
: their PCI certificate "to the bank", and don't seem to bother doing
: anything else.
:
: That is the fatal flaw in the program.
:
: In addition, the way the PCI QSA program is structured ensures that
: competent security consultants will stay out of it. Why would anyone
: want to sign on to a program where you have essentially unlimited
: liability, but are forced to base your certification decisions on a
: ridiculous standard? AND you have to pay them $20,000 initially, and
: $10,000 per year afterward... Where does that money go???
After that, you get to bid against the LCD who does their automated scans
w/ little to no validation for pennies on the dollar. A company I used to
work for was an ASV for a while, but we only did the work as a loss
leader to get in the door and then upsell. That was the *only* value of
doing PCI work.
More information about the Dataloss
mailing list