[funsec] The PCI sky *isn't* falling!
anton at chuvakin.org
Mon Mar 23 23:50:46 CDT 2009
> : I'd say that PCI DSS did more to information security than *anything
> : else* since Windows added automated updates.
> Care to back that up in any way? I think the customers of Heartland, RBS
> and other compromises would disagree.
Sorry, but this is kinda of what I was talking about :-) What I am
hearing in the above is that PCI was somehow supposed to guarantee
their un-hackability. Is that what you are implying? What about a
simpler explanation: they were breached DESPITE PCI DSS?
> : Now, some might say that my argument is of the type "Why do 99% of
> : lawyers give the rest a bad name?", but it is not. I am pretty sure that
> : even companies that "do it just the auditor" or, worse, deceive their
> : PCI assessor still gain a tiny fraction of risk reduction, both for
> : themselves - and for the rest of us.
> Is that "tiny fraction of risk reduction" evident in Heartland / RBS? Is
> that fraction worth the trade-off for an entirely inflated false sense of
This supposed reduction of risk was NOT in any way evident in case of
Hland/RBS, at least not in the way it was reported publicly. In
addition, it is entirely possible that their security staff was "under
the influence" of false sense of security and, as a result, made made
decisions that lead to their compromise.
PCI did drive many small organization to think about: a) have we
updated our AV since 2004 (BTW, their answer was 'no' and not it is
"yes' [debate about AV efficiency is a separate story]) b) what on
Earth is a firewall? c) changing password is maybe a good idea.
That is where I think it is useful.
> You forgot one part of your sig:
> Director of PCI Compliance Solutions at Qualys
Was that remark intended to invalidate my arguments in any way? I hope
you are not implying they people working for vendor are not allowed -
gasp! - their own opinion...
Anton Chuvakin, Ph.D
More information about the funsec