PCI: Not our problem...

tate@ClearNetSec.com (Tate Hansen) — Wed, 16 May 2007 20:51:00 -0600

What happens when the test environment operated by MasterCard (they “own” the testing lab) is misbehaving? I know. They yank the wheel, swerve away from responsibility, and point to the PCI council. And PCI? They point back. Beautiful, no?

You see because they refuse to disclose missed results to you they duck responsibility for anything that may have been their fault. They also clearly imply if anything is missed in your attempts to identify vulnerabilities then it is surely your fault or a problem with the tools you used.

I love it: No clear pass criteria, no way to challenge a decision, and no transparency of what or how they are doing. For all this great service you get to spend thousands every year!

So what happens when you call bullshit and raise hell? They pass you. :) Let me not forget to mention we had a few extra bullets in our clip they may have unexpected us to have – bullets provided to us by friends with information.

Be forewarned; this process has serious issues.

"PCI: Not our problem..." by Martin McKeay

Mon, 04 Jun 2007 16:36:07 -0600

Tate,

Welcome to the world of PCI DSS. Every possible step has been taken to divorce Master Card and Visa from anything approaching responsibility. They don’t manage the standard, the PCI Council does. They don’t do any of the testing to make sure sites are secure, a consultant you hire does that. And if there’s a dispute with the results, your only choice is to go through the consultant to argue your point. They don’t even levy the fines if there is a compromise, they fine the acquiring bank and the acquiring bank fines the vendor. No direct linkage to responsibility any where.

Isn’t a great system?

Martin

ClearNet Security: PCI: Not our problem...

PCI: Not our problem...

"PCI: Not our problem..." by Martin McKeay