http://www.computerw...=203&pageNumber=1
Not a lot of meat there, but at least it's being talked about in the trade press.
Cheers,
Scott.
One for Greg: CW - Does PCI Compliance mean anything?
http://www.computerw...=203&pageNumber=1
Not a lot of meat there, but at least it's being talked about in the trade press. Cheers, Scott. |
|
Does PCI Compliance mean anything?
not really it is "best practices" designed by a committee. A similar example is what I deal with, CMS compliance. We have to comply with http://iase.disa.mil/stigs/a-z.html If you pick one product you are familiar with, you can see the holes
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 58 years. meep
|
|
Thanks.
|
|
Sure. It means you can accept credit cards.
--
Drew |
|
Nope
Give this a look (random googled checklist):
http://www.bbb.org/d...liant/checklists/ While many examples in the news are bricks and morter, which cracked point-of-sale systems their current issue, almost all of them also have web stores as well. So let's use any online store as an example for this thought exercise. #1: If they do not charge your credit card before shipping, then they MUST store it on disk. MUST! And if they partial ship, then they must be allowed to do multiple transactions as well. This means an automated system has to be able to read the database entry that contains the card, decrypt it, and issue transactions. So, anyone who managed to break into the system that either stores the CCs, manages the process, or sniffs the wire can copy every CC in the system. Also, since in-flight data does not need to be encrypted (at least behind the corporate firewall), then EVERY system on the network is a potential threat. Every zero day exploit could be harvesting those CC numbers to forward along. The checklist format allows a variety of "levels" of adherance, including "working on it, please check on next review", which means CIOs can cover their ass by assigning the task to an underling, and then ignoring it for 6 months. There are people who are named on PCI docs as the responsible individuals, but they have NO CLUE what the actual responsibility is. But even when they do, they can point to an external vendor and say: This is on the list of approved vendors and we have it running here (but they didn't actually implement the functionality that they needed) which lets them skate as well. I've just scratched the bare surface. PCI is nothing more than a method of allowing CC vendors to claim they care, and companies to claim they are making an effort. It does NOTHING for actual security, it just provides a method of passing the buck when the shit hits the fan. |
|
Thanks.
Sorry for the delay. Our internet at home was down yesterday (apparently due to a not-tight-enough connection). I just fixed it...
Thanks for the reality-check. As bad as it is, it seems worse if you believe the side comment on that page: Only 10% of US small businesses have a formal Internet security policy. :-/ It sounds like "chip and pin" cards aren't going to solve the issues you pointed out, either. <sigh> Cheers, Scott. |
|
There is NO security out there
It is merely a game of CYA.
So, here's what you need to do. Have separate linked bank accounts. You need a primary and a secondary checking, and another for savings. Each checking account has its own visa/debit card. Put your paycheck in the primary and/or savings. Use the secondary for bill paying. The primary card can be used to access all accounts, the secondary can be used ONLY to access the secondary account. Place money into the secondary account as needed to cover your bills and spending money. Use it for whatever. NEVER use the primary card except to control the money transfers at a mac machine in your bank. If you are foolish enough to use online banking, and use a windows box for that, all bets are off. When your secondary account is nailed, get a new card for that, invalidating the previous card with minimal hassle. If you insist on setting up recurring payments, get an additional secondary account for those as well, but try to minimize the number of vendors you give it to since you will have to call them all and change it if that account gets nailed. |
|
I throw paypals bill me later service
in front of all of that as well. Anyplace that takes paypal gets paid thru bill me later, I see what is going on and paypall only gets close to my low balance payall account
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 58 years. meep
|