[Full-disclosure] VISA PCI DSS standard : Good or bad?

["newslist@xxxxxxxxxxxxxxxxxxxxxx" <newslist@xxxxxxxxxxxxxxxxxxxxxx>]

Hello all

Have you already face to the VISA PCI DSS standard?

In case of your IT system store , manipulate, send credit card numbers, 
as a security professionals, you need to follow and make compliant your 
system with what VISA called the PCI DSS standard. the goal of this 
standard is to ensure that credit card of our customers are safe from 
evil hackers or employees...Great Idea!

But for us,this standard have some weakness :
- Commercial electronic payment organization designed an insecure 
system  and now they want us to pay to secure their business !
- To much focus on system and network security
- Only a quarterly scan with any VISA compliant scanner such as Qualys
- None pentest on application level is required and when you think that 
as pentesters we almost always succeed to compromise sensitive 
information such as credit card by a security bug at the application 
level , we do notice that it is the most important weakness.

Never mind... VISA PCI DSS is here ...and we must apply it.

There is some slides from Security Professionals Conference 2006 about 
this topic that's worth to be read : "Two Approaches to PCI DSS Compliance"
go to http://www.security-briefings.com  for details

Regards

Newslist [at] security-briefings.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/