[Owasp-leaders] PCI, more ego than brains...

Daniel Cuthbert daniel.cuthbert at owasp.org
Mon Mar 2 15:33:25 EST 2009 

For those who don't remember, we actually had something similar to  
this a long time ago, but got feedback from PCI that they didn't  
really appreciate the project.


On 02 Mar 2009, at 10:13 PM, McGovern, James F (HTSC, IT) wrote:

> So, can we get a project started to recommend publicly how PCI can  
> be made better?
>
> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org 
> ] On Behalf Of Mark Bristow
> Sent: Monday, March 02, 2009 11:11 AM
> To: owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] PCI, more ego than brains...
>
> I have a love hate relationship with PCI.
>
> On the one hand (as has been pointed out already) compliance with  
> PCI DSS does not make one secure.  If the objective of PCI DSS was  
> to secure web applications I'm not sure that it succeeds.
>
> On the other hand I don't suspect that PCI was meant necessarily to  
> secure web applications.  PCI is more about liability and risk.   
> Before PCI if you were breached, there were a handful of semi- 
> applicable laws and regulations that may have been grounds for a  
> lawsuit by the effected parties, assuming they ever knew they were  
> effected.  At least with PCI if a processor is found to be non- 
> compliant there is a direct liability for that non-compliance and  
> any additional lawsuits have additional grounds for their case.
>
> As a security purist I would absolutely prefer that every  
> application out there was 100% secure but as a realist and  
> consultant you have to be more pragmatic.  A very small percentage  
> of people out there will make themselves secure for the sake of  
> security.  There has to be a risk analysis that shows it costs more  
> (direct or indirect cost) to be insecure then the cost of the  
> security investment for action to be taken.  To it's credit PCI adds  
> to the breach costs causing that risk decision to fall more often  
> (but not always) on the side of security.
>
> All that said, I'd love it if the standards were a bit more robust.   
> Due to the position of the credit card companies they really have an  
> opportunity to effect real change in the industry.  If your breach  
> results in the loss of your card processing capability it really  
> effects the bottom line and therefore gets alot of attention.  It'd  
> be nice if they leveraged this position a bit more but I'll take  
> what I can get.
>
>  I'm sure at least one website out there mitigated at least one  
> vulnerability in an effort to be PCI compliant.  Small victory?   
> Absolutely at least it's a step in the right direction.
>
> -Mark
>
> Eoin wrote:
>>
>> Its all cool baby......
>>
>> I'm PCI compliant or so they say.... so I can hit the hackers with  
>> my rolled-up cert when they come knocking on my web application.
>>
>> If the payment card industry did nothing (did not introduce PCI  
>> DSS) we would be complaining about the same thing, web insecurity.
>>
>> PCI certification is not going to save us (them). The insecurity is  
>> contained in the creation, application and deployment of the  
>> building blocks of the web, PCI is never going to fix this or any  
>> other certification.........
>>
>> Sure let them get certified, and hacked this is the cycle of life....
>>
>> but its cool man, "get certified, go to the next level" :)
>>
>>
>> -ek
>>
>>
>>
>>
>> 2009/2/28 Daniel Cuthbert <daniel.cuthbert at owasp.org>
>> When I see stuff like this, it really does ram home the point of  
>> how little people actually get it.
>>
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>> -- 
>> Eoin Keary CISSP CISA
>> https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference
>>
>> OWASP Code Review Guide Lead Author
>> OWASP Ireland Chapter Lead
>> OWASP Global Committee Member (Industry)
>>
>> Quis custodiet ipsos custodes
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
> -- 
> Mark Bristow
>
> OWASP Global Conferences Committee member -
> https://www.owasp.org/index.php/Global_Conferences_Committee
> AppSec US 09 Organizer -
> https://www.owasp.org/index.php/OWASP_AppSec_US_2009_-_Washington_DC
> OWASP DC Chapter Co-Chair - http://www.owasp.org/index.php/Washington_DC
> ************************************************************
> This communication, including attachments, is for the exclusive use  
> of addressee and may contain proprietary, confidential and/or  
> privileged information.  If you are not the intended recipient, any  
> use, copying, disclosure, dissemination or distribution is strictly  
> prohibited.  If you are not the intended recipient, please notify  
> the sender immediately by return e-mail, delete this communication  
> and destroy all copies.
> ************************************************************
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090302/ab4d5b82/attachment-0001.html

More information about the OWASP-Leaders mailing list