Self-assessment is the method used by the vast majority of small businesses, and they're often not even required to do even minimal work to get started. The acquiring bank will just set them up an account and start the ball rolling after Farmer Bob buys a cheap swipe terminal off eBay for the weekend Farmer's market and signs a couple papers. For those organizations that aren't self-assessing, they get to deal with the fact that QSAs often can't even agree on what some requirements mean in principle, let alone when applied to their specific circumstances. Show three different QSAs the same architecture and documentation, get three different reports. That ROC? That's good for toilet paper by the time the QSA pulls out of the parking lot. Don't believe me? Have a data breach and watch Visa roll in with auditors who won't leave until they find a reason to fail your compliance. That's just how the game is played.

All that said, people just declaring that they are PCI DSS compliant is actually exactly what happens. You tell the acquiring bank that you're PCI compliant (either via SAQ or QSA/ROC). If you've met certain levels of activity, the acquiring bank may pass along some paperwork regarding your audits to certain payment brands who require it. They then effectively state that your paperwork appears to be in order and begin processing your credit card transactions. At no point do they declare you PCI DSS compliant and they will most certainly toss your ass to the wolves the second there's a whiff of trouble. And even if they did say you were compliant at filing time, any QSA will tell you that any minor change, lapse, or mistake can completely alter the state of your compliance. From the PCI SSC website: "There are three steps for adhering to the PCI DSS – which is not a single event, but a continuous, ongoing process."

In other words, yesterday you might have been compliant, and tomorrow you might be compliant, but today (always of course the day of the breach), you're non-compliant.

This depends entirely on the organization and their acquiring bank's requirements (ultimately the acquiring bank is the only one who matters, but most reasonably organizations develop their own process to ensure they're covered as much as possible). For many small businesses, they're often times just buying a cheap terminal and swiping away. The acquiring bank isn't pressing them for details of their security measures and they're often completely clueless about any requirements they're supposed to be meeting. They aren't bringing in a QSA. Even if they were, bring in three QSAs to any decently sized organization and get three different opinions about your scope and your compliance measures. Half the fun of PCI assessments is determining what the requirements mean, how they apply in your specific instance, and where scope ends. But the point is, there's no issuing authority to say that you're PCI compliant. There's no governing body certifying anyone. The only thing that's actually there are the contractual relationships between the merchant and the acquiring bank and the contractual relationships between the acquiring bank and the payment brands.

It's not a pointless semantic game because it's the unspoken risk for anyone accepting credit cards. Since there is no official PCI certification and since there is no agreement between QSAs on what the requirements mean in principle (let alone in practice in a specific organization's situation), the PCI SSC gets to stick the claim up on their website that no breach has ever occurred in a PCI-compliant vendor. Best of all, each individual payment brand actually gets to decide what requirements have to be met in which situation by which type of vendor doing what type of business at what scale and via which medium. The ambiguity and the leverage the payment brands hold allows them to arbitrarily decide who is and who isn't compliant at any given moment.

So you keep on doing your documentation and your testing processes (and you should, it's good practice), but if you think for a second your customers are somehow protected from Visa, Mastercard, etc in the event of a breach, you'd best think again. It's a shell game designed to ensure that whenever things go south, the payment brands are never the ones left holding the bag.

Yeah, the Trek angle is sort of covered by "Engage!" , but this one is so much better.

And the parodies are priceless
http://www.youtube.com/watch?v...

Chapman's spread of Apples was a solution to the bad water problem. Making the apples into Apple Jack sterilized the water. The alcohol in the Jack didn't freeze as readily as pure water. Straining out the icy slush made the Jack stronger, and less likely to freeze. So when your stream is frozen, there's some Jack to drink.

Speaks at length about John Chapman. Apples were for Apple Jack, not eating. In his book he speaks of four plants, the Apple, Tulip, Potato, and Marijuana, and how they manipulate us into a mutually beneficial relationship. I'm a big fan of his books on food.

You aren't accredited to be following PCI because nobody is. There is no certificate. There is no special seal of approval. You provided security information to your acquiring bank(s) and you were allowed to process credit card transactions. There's no such thing as certification or accreditation for PCI.

Who says they're holding the PAN in plaintext? They can decrypt it to send it to the Feds as needed without keeping it in plaintext in their systems. The Feds have no agreement with an acquiring bank, so they don't have to worry about how they store it. Nobody can do anything to them. Any agreement the airlines have with their acquiring banks undoubtedly includes plenty of cover for Federal data reporting requirements (likely a blanket "if the Feds come calling, we're just going to give them everything"). So long as the acquiring banks have signed off on it, they're in the clear. And since all these guys would like to continue doing business in the largest economy in the world, nobody's going to say no.

Was that perhaps the day you got a bigger monitor? Motion sickness is primarily influenced by what goes on in your peripheral vision. I've only ever gotten motion sickness on sims with wraparound displays on the sides, and it's quite awesome. Still saving up for extra screens for my gaming rig at home so I can have those side panels.

Barring a total miracle like Rossi's unicorn reactor it seems we've already passed the point of no return.

If there are any miracles to be had, I can assure you they won't be coming from a pseudoscientific scam artist like Rossi.

It's not like we don't have the technology to tackle AGW. We know how to build nuclear power plants right now, and we also know how to deal with the waste. All we lack is the political will to do it. We don't need "miracles" from snake-oil salesmen like Rossi.

Heh, thanks! My old man will appreciate the correction ;)

The God of Thunder is at a particularly successful orgy and sees a good-looking woman wandering around in her toga. He puffs up his chest and proclaims to her, "Hi, I am Thor!"

The woman looks back and says, "Ugh, yeth, I'm thor too, I'm thor all over."

personal opinion of the status of the various ideas labelled "multiverse", inappropriately presented as fact. There is certainly not a consensus view that these opinions are correct, as you might mistakenly infer. In fact, "..., with different Big Bangs but very likely with the same fundamental laws and constants" -- it seems to me the weight of professional opinion is actually more on the other side here. His views on Everett's many-worlds interpretation are also counter to those of most people who accept it as valid in the first place. Perhaps most egregiously, if he is going to borrow (linking to) Tegmark's categorization of the different levels of multiverse, he should at least get them right. But he refers to Tegmark's level 1 as level 0, level 2 as level 1, and is a little confused about the distinction between 1 and 2. If you want a much more thorough, and objective, discussion of the various multiverse ideas, you want to read Brian Greene's The Hidden Reality. And of course Tegmark's Our Mathematical Universe is the latest entry into this field, a manifesto of sorts.

Yeah, the Lenovo T420s has an array of mics up top around the webcam, and in theory they can be used to filter out noise from typing and be tuned to pick up the voice of the talker and not the speakers. But I went through all that calibration and it still sucks... it does filter out a lot of the keyboard noise but it also attacks the voice as well. Maybe someday Lenovo/Conexant will release better, more tunable drivers, but I haven't seen anything positive on any of the Lenovo support message boards yet.

In Lenovo's defense, I bought a z710 for my wife, and it appears to work great with Skype and stuff out of the box (though I've never sampled the audio quality on the far end of the call). It's a nice little desktop replacement box, at the time probably the cheapest laptop I could find with a 1920x1080 LCD and a half-decent NVidia GPU. Of course, it still has an Intel 4000 integrated GPU as well for "hybrid power savings"... you can't disable the iGPU, and the thing would BSOD with any 3D applications using the Nvidia GPU until I installed the right combination of driver updates relatively recently.

It's Texas, they broke ground three weeks ago.

FAA? Never heard of 'em.