Self-assessment is the method used by the vast majority of small businesses, and they're often not even required to do even minimal work to get started. The acquiring bank will just set them up an account and start the ball rolling after Farmer Bob buys a cheap swipe terminal off eBay for the weekend Farmer's market and signs a couple papers. For those organizations that aren't self-assessing, they get to deal with the fact that QSAs often can't even agree on what some requirements mean in principle, let alone when applied to their specific circumstances. Show three different QSAs the same architecture and documentation, get three different reports. That ROC? That's good for toilet paper by the time the QSA pulls out of the parking lot. Don't believe me? Have a data breach and watch Visa roll in with auditors who won't leave until they find a reason to fail your compliance. That's just how the game is played.

All that said, people just declaring that they are PCI DSS compliant is actually exactly what happens. You tell the acquiring bank that you're PCI compliant (either via SAQ or QSA/ROC). If you've met certain levels of activity, the acquiring bank may pass along some paperwork regarding your audits to certain payment brands who require it. They then effectively state that your paperwork appears to be in order and begin processing your credit card transactions. At no point do they declare you PCI DSS compliant and they will most certainly toss your ass to the wolves the second there's a whiff of trouble. And even if they did say you were compliant at filing time, any QSA will tell you that any minor change, lapse, or mistake can completely alter the state of your compliance. From the PCI SSC website: "There are three steps for adhering to the PCI DSS – which is not a single event, but a continuous, ongoing process."

In other words, yesterday you might have been compliant, and tomorrow you might be compliant, but today (always of course the day of the breach), you're non-compliant.

This depends entirely on the organization and their acquiring bank's requirements (ultimately the acquiring bank is the only one who matters, but most reasonably organizations develop their own process to ensure they're covered as much as possible). For many small businesses, they're often times just buying a cheap terminal and swiping away. The acquiring bank isn't pressing them for details of their security measures and they're often completely clueless about any requirements they're supposed to be meeting. They aren't bringing in a QSA. Even if they were, bring in three QSAs to any decently sized organization and get three different opinions about your scope and your compliance measures. Half the fun of PCI assessments is determining what the requirements mean, how they apply in your specific instance, and where scope ends. But the point is, there's no issuing authority to say that you're PCI compliant. There's no governing body certifying anyone. The only thing that's actually there are the contractual relationships between the merchant and the acquiring bank and the contractual relationships between the acquiring bank and the payment brands.

It's not a pointless semantic game because it's the unspoken risk for anyone accepting credit cards. Since there is no official PCI certification and since there is no agreement between QSAs on what the requirements mean in principle (let alone in practice in a specific organization's situation), the PCI SSC gets to stick the claim up on their website that no breach has ever occurred in a PCI-compliant vendor. Best of all, each individual payment brand actually gets to decide what requirements have to be met in which situation by which type of vendor doing what type of business at what scale and via which medium. The ambiguity and the leverage the payment brands hold allows them to arbitrarily decide who is and who isn't compliant at any given moment.

So you keep on doing your documentation and your testing processes (and you should, it's good practice), but if you think for a second your customers are somehow protected from Visa, Mastercard, etc in the event of a breach, you'd best think again. It's a shell game designed to ensure that whenever things go south, the payment brands are never the ones left holding the bag.

Whatever price Verizon says it'll give you for FIOS, add $5/mo for the router rental that's forced on you, for absolutely no reason.

He and his cronies will get what's coming to them.

You don't watch Game of Thrones, do you?

Hint: The worse guy almost always wins.

FiOS is 1/8th mile away from my house but they won't bring it the last couple hundred feet.

Sounds like you need to strike up a deal with one of your neighbors, to sign-up for FIOS and host a WiFi AP aimed towards your house for you. Give them free internet access (throttled when you're maxing it out) or just a few dollars more than the bill, and you'll both come out ahead.

For me, a real sign of the death of Slashdot is the predictability of the trolls.

This statement just reeks of "noob".

The trolling (and gaming of mod and m2) was VASTLY higher in the early /. days. At certain points, it really was crushing any legitimate discussions. You have no idea how good you've got it, on that account.

Slashdot is dying because of Dice, nothing else.

At this point, it's pretty clear that if you don't already have it, you won't be getting it.

Not true here. It was quite a while after their announced buildout freeze that FIOS became available here. A neighboring city had it for a while, and since then, it has expanded a few cities away, and filled-in all the coverage gaps, too.

Frankly, I hate FIOS, because they immediately take away nice cheap DSL as an option. Why the hell does my mother need to pay $65/month for the slowest FIOS package, when she's never watched an online video in her life, still has no interest in Netflix, and wouldn't care whether it came in 480i or 4k? But nice cheap DSL is no longer an option for her, because we have FIOS.

Time Warner is awesome, offering a $15/month basic internet access plan even though they've got no competition in that space anymore, but if they get bought out by Comcast, we're screwed.

I think VW might contract the actual manufacturing to Chrysler.

Indeed. The VW Routan was a Chrysler Town and Country with some different skins on the inside and out. It was so much not a VW product that the VCDS system (the thing you can use to do vehicle diagnostics on any VW, Audi, Seat, or Skoda product since the early 90s) doesn't even talk to it.

In the German market, VW sells Vans of all different sizes. None of them are currently imported to the US; the Eurovan was the last rest-of-world van that was available in North America.

We have 3 kids in car seats, and an Odyssey.

When we lived in town, it was great. Back then, my only serious gripe with the Odyssey is that if you are running a second set of wheels (e.g. for permanently mounted snow tires), and don't fit a 2nd set of expensive TPMS sensors to those wheels, the VSA (stability control) cannot be defeated via the console switch.

This is a problem because the VSA implementation sucks and is frankly unsafe when accelerating on surface transitions - for instance, when you are waiting on a gravel road and are about to pull onto a paved highway, the VSA system senses differing levels of wheel grip between the wheel on pavement and the wheel still on gravel, and cuts power, precisely when you need maximum power to quickly get to highway speed.

Last fall we moved to a rural area, and now poorly maintained roads (deep snow in the winters until I clear it, deep ruts whenever there are rains) has really shown me the shortcomings of the vehicle. My wife has gotten it stuck 4 times in our first winter.

The Odyssey needs 2 things to be superlative. Air suspension with adjustable ride height (it is a very low vehicle, for ease of entry/exit for small kids), and a proper AWD system.

My wife is now desperately wanting an AWD vehicle. But to get a proper AWD system (e.g. locking transfer case or at least a torsen differential), and the useful seating capacity of a minivan, you need to be looking at full-size truck based SUVs, like the Excursion or Sequoia.

I'm aware that the Sienna comes in an AWD version, but its particular AWD system and ride height doesn't inspire me that they will be foolproof enough to want to make the switch.

Sadly, my wife also refuses to drive a Mercedes G-wagen :)

As an aside, the Odyssey towing capacity isn't really sufficient. It's 3500lbs, and it requires upfitting the vehicle considerably with things that don't come factory - PS cooler, ATF cooler, hitch wiring, etc. (In addition to the actual hitch receiver).

When we were considering camping options, essentially nothing that had enough floor space for a family of 5 could be towed behind an Odyssey.

You aren't accredited to be following PCI because nobody is. There is no certificate. There is no special seal of approval. You provided security information to your acquiring bank(s) and you were allowed to process credit card transactions. There's no such thing as certification or accreditation for PCI.

Who says they're holding the PAN in plaintext? They can decrypt it to send it to the Feds as needed without keeping it in plaintext in their systems. The Feds have no agreement with an acquiring bank, so they don't have to worry about how they store it. Nobody can do anything to them. Any agreement the airlines have with their acquiring banks undoubtedly includes plenty of cover for Federal data reporting requirements (likely a blanket "if the Feds come calling, we're just going to give them everything"). So long as the acquiring banks have signed off on it, they're in the clear. And since all these guys would like to continue doing business in the largest economy in the world, nobody's going to say no.

Depending on where you live (state taxes?), that's at best a cool $350-$365 after payroll taxes (259-270 Euros) per week for a family of two to four.

Really? And would that $10.10/hr magically become more or less money with a family of 1, or a family of 10?

And actually, with a family of 4 on $20,000/year, you probably wouldn't be paying ANYTHING in state or federal income taxes in most states, so it would be $404/week take-home.

And more relevant than abstract cash figures:

"If you have a [full-time] job in this country, (thereâ(TM)s a) 97 percent chance that you're not going to be in poverty."

http://www.politifact.com/trut...

Hi there. Been an engineer at Microsoft since 2000. Have interviewed hundreds of people at all skill levels.

Why do you assume that wages at Microsoft aren't increasing?

I understand the compensation model, and how it has changed in my 14 years. The comp packages we are offering to college grads these days are astoundingly lucrative. Every few years in my career, there has been a big compensation realignment based on market realities. Everytime something at work upsets me enough that I start talking to other companies, their comp packages (especially with cost of living factored in) aren't able to match what I'm getting now from Microsoft.

Lately, high comp packages are required to compete with Google, Facebook, Amazon, etc, who all have plenty of money, and, for younger developers, are often seen as cooler places to work than old stodgy Microsoft.

I just see no evidence that H1-Bs are a mechanism for the company to save money. Dealing with HB-1 hassles involves a lot of overhead and expense that are not applicable to domestic employees.

As I said earlier, I have interviewed many, many folks, for many positions. The hire rate is not as high as we would like it to be. It never feels good to have to turn someone down, and it is a waste of time for everyone when an interview doesn't go well. But the bottom line is, we talk to many more people than we can feel confident about making an offer to. There are lots of STEM graduates, foreign and domestic. But not all of them are someone we could feel comfortable hiring. I'm sure you've known people in your CS class who could get good grades but who couldn't code... those people count as "qualified STEM applicants" to people that are pushing the "H1B is evil" rhetoric, but we all know that just because someone has a degree doesn't mean they are employable in that field... and certainly not by the top organizations in that field.

I've also seen no evidence that Microsoft has a preference for hiring H1-Bs, or that there is any compensation disparity for H1-Bs. I have seen evidence that H1-Bs cost the company money that domestic employees do not. For example, the company has special lawyers and paperwork people that deal with H1-B and other immigrant-labor related problems. That's a cost. When H1-B engineers are dealing with this stuff (which is frustratingly often), they aren't writing code or analyzing tests. That's a hit to their productivity, which ultimately, is another cost.

Methanol fuel cells need some research love....

No they don't... They're getting extensive use in forklifts, surpassing battery-electrics even at the currently crazy fuel-cell prices.

Now Unleaded Gasoline fuel cells... Those could use some money. Range booster for EVs or hybrids, an instant doubling of fuel efficiency over ICEs, practically no maintenance, and a future where fuel conversion efficiency isn't limited by Carnot.

Russia supplies much of Europe's fossile fuels, specifically oil and gas

The US has a glut of natural gas and is aching to export it. Terminals are being built, if they were rushed, the pipe to Russia could be shut-off, ore at least made largely insignificant, in a hurry.

And whatever energy resources the west doesn't buy, will be purchased by some other nation (eg. China) at a less-profitable price and via a round-about route.

[Grabs PA microphone]
This is the captain. We're having a little problem, so we may experience some slight turbulence and then... explode.
[Hangs up microphone]