daherrera101 at yahoo.com
Wed Jun 3 11:40:05 EDT 2009
A wise acquaintance of mine once told me the purpose of PCI DSS was not to secure an organization, but to mitigate potential risk to the credit industry.
These are of course not the same goal, and it was really the first statement about the PCI DSS that allowed me to approach it with a new perspective.
Anyways I felt it relevant to mention that on this thread because I think its a key piece to the "good enough bar" discussion that pops up about PCI DSS constantly.
--- On Wed, 6/3/09, Brad Andrews <andrews at rbacomm.com> wrote:
From: Brad Andrews <andrews at rbacomm.com>
Subject: Re: [Owasp-pci-project] QSA
To: owasp-pci-project at lists.owasp.org
Date: Wednesday, June 3, 2009, 7:48 AM
Add to this the difficulty of figuring out how much is enough for the
- When are developers "trained"
- What kind of testing for the "OWASP Top Ten" is sufficient.
It is a more challenging issue than it may seem.
It is also a widely varying area, since a wide range of practices can
be compliant, which may or may not be sufficient to be truly "secure".
Quoting "McGovern, James F (HTSC, IT)" <James.McGovern at thehartford.com>:
> I had a quick chat yesterday with a QSA and inquired about how much
> training a QSA gets on PCI 6.6 and got an interesting response. I
> originally believed it was fifteen minutes which was quickly corrected
> and morphed into zero minutes. They get a URL to OWASP and are
> encouraged to read on their own time.
> So, this begs the question of how OWASP can help QSAs actually learn
> more about OWASP other than relying on one's curiousity or lack of...
Owasp-pci-project mailing list
Owasp-pci-project at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-pci-project