Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds

["Thor (Hammer of God)" <Thor@xxxxxxxxxxxxxxx>]

How can you say it is "wasted"? It doesn't matter if you are a "fan" of it or 
not, in the same way that it doesn't matter if you are a "fan" of the 4% 
surcharge retail establishments pay to accept the credit card as payment.  
Using your logic, you would way it is "wasted money," and might bring into 
question the "value" of the surcharge, etc.  It is simply a cost of doing 
business.

If you choose to offload processing to a payment gateway, then that will also 
incur a cost.  Depending on your volume, that cost may or may not be higher 
than you processing them yourself while complying to standards.  The 
implementation of actual security measures will be different.  But you can't 
"handle" credit cards in the classic sense of the word without complying with 
PCI.  If you pass along the transaction to a gateway, you are not handling it.  
If you DO handle it, then you have to comply with PCI.  If you process less 
than 1 million transactions a year, you can "self audit."  If you process more, 
you have to be audit by a PCI auditor.

None of this MEANS you are secure, it means you comply.  If you don't like PCI, 
then don't process credit cards, or come up with your own.  I still don't 
really see what all the hubbub is about here.

t

From: Christian Sciberras [mailto:uuf6429@xxxxxxxxx]
Sent: Friday, April 23, 2010 9:29 AM
To: Thor (Hammer of God)
Cc: Christopher Gilbert; Mike Hale; full-disclosure; 
security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds

it is simply part of the cost of doing business in that market.
A.k.a. wasted money. Truth be told, I'm no fan of PCI.
Other companies get the same functionality (accept the storage of credit cards) 
without worrying about PCI/DSS (e.g. through Payment Gateways).
In the end, as a service, what do I want, an inventory of credit cards, or a 
stable payment system? The later I guess.
As to security, it totally depends on implementation; one can handle credit 
cards without the need of standards compliance.

My two cents.

Regards,
Christian Sciberras.


On Fri, Apr 23, 2010 at 6:07 PM, Thor (Hammer of God) 
<Thor@xxxxxxxxxxxxxxx<mailto:Thor@xxxxxxxxxxxxxxx>> wrote:
Another thing that I think people fail to keep in mind is that when it comes to 
PCI, it is part of a contractual agreement between the entity and card facility 
they are working with.   If a business wants to accept credit cards as a means 
of payment (based on volume) then part of their agreement is that they must 
undergo compliance to a standard implemented by the industry.  I don't know why 
people get all emotional about it and throw up their hands with all the "this 
is wasted money" positioning - it's not wasted at all; it is simply part of the 
cost of doing business in that market.

t

From: 
full-disclosure-bounces@xxxxxxxxxxxxxxxxx<mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx>
 
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx<mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx>]
 On Behalf Of Christopher Gilbert
Sent: Thursday, April 22, 2010 4:48 PM
To: Mike Hale
Cc: full-disclosure; 
security-basics@xxxxxxxxxxxxxxxxx<mailto:security-basics@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds

The paper concludes that companies are underinvesting in--or improperly 
prioritizing--the protection of their secrets. Nowhere does it state that the 
money spent on compliance is money wasted.
On Wed, Apr 21, 2010 at 5:44 PM, Mike Hale 
<eyeronic.design@xxxxxxxxx<mailto:eyeronic.design@xxxxxxxxx>> wrote:
I find the findings completely flawed.  Am I missing something?


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/