Forgot your password?
typodupeerror

Comment: Re:aaargh! pinheads in the IT. (Score 1) 228

by jawtheshark (#47506759) Attached to: Verizon Boosts FiOS Uploads To Match Downloads
Why would you think that? I use it here for internal web apps, I don't care about their youporn visits and I don't want that on my network. So, if they're at home, let them connect to the VPN, access the internal apps and do their work and wank on the side using their own Internet connection.

Comment: Re:PCI-DSS (Score 1) 203

Self-assessment is the method used by the vast majority of small businesses, and they're often not even required to do even minimal work to get started. The acquiring bank will just set them up an account and start the ball rolling after Farmer Bob buys a cheap swipe terminal off eBay for the weekend Farmer's market and signs a couple papers. For those organizations that aren't self-assessing, they get to deal with the fact that QSAs often can't even agree on what some requirements mean in principle, let alone when applied to their specific circumstances. Show three different QSAs the same architecture and documentation, get three different reports. That ROC? That's good for toilet paper by the time the QSA pulls out of the parking lot. Don't believe me? Have a data breach and watch Visa roll in with auditors who won't leave until they find a reason to fail your compliance. That's just how the game is played.

All that said, people just declaring that they are PCI DSS compliant is actually exactly what happens. You tell the acquiring bank that you're PCI compliant (either via SAQ or QSA/ROC). If you've met certain levels of activity, the acquiring bank may pass along some paperwork regarding your audits to certain payment brands who require it. They then effectively state that your paperwork appears to be in order and begin processing your credit card transactions. At no point do they declare you PCI DSS compliant and they will most certainly toss your ass to the wolves the second there's a whiff of trouble. And even if they did say you were compliant at filing time, any QSA will tell you that any minor change, lapse, or mistake can completely alter the state of your compliance. From the PCI SSC website: "There are three steps for adhering to the PCI DSS – which is not a single event, but a continuous, ongoing process."

In other words, yesterday you might have been compliant, and tomorrow you might be compliant, but today (always of course the day of the breach), you're non-compliant.

Comment: Re:PCI-DSS (Score 1) 203

No, there's no certificate, but there is a process of documentation and testing commonly referred to as "certification" before you are allowed to process credit card transactions.

This depends entirely on the organization and their acquiring bank's requirements (ultimately the acquiring bank is the only one who matters, but most reasonably organizations develop their own process to ensure they're covered as much as possible). For many small businesses, they're often times just buying a cheap terminal and swiping away. The acquiring bank isn't pressing them for details of their security measures and they're often completely clueless about any requirements they're supposed to be meeting. They aren't bringing in a QSA. Even if they were, bring in three QSAs to any decently sized organization and get three different opinions about your scope and your compliance measures. Half the fun of PCI assessments is determining what the requirements mean, how they apply in your specific instance, and where scope ends. But the point is, there's no issuing authority to say that you're PCI compliant. There's no governing body certifying anyone. The only thing that's actually there are the contractual relationships between the merchant and the acquiring bank and the contractual relationships between the acquiring bank and the payment brands.

I work in point of sale software development and have had to help retail chains overcome problems found in their certification tests. You either don't know what you're talking about, or you're playing a pointless semantic game.

It's not a pointless semantic game because it's the unspoken risk for anyone accepting credit cards. Since there is no official PCI certification and since there is no agreement between QSAs on what the requirements mean in principle (let alone in practice in a specific organization's situation), the PCI SSC gets to stick the claim up on their website that no breach has ever occurred in a PCI-compliant vendor. Best of all, each individual payment brand actually gets to decide what requirements have to be met in which situation by which type of vendor doing what type of business at what scale and via which medium. The ambiguity and the leverage the payment brands hold allows them to arbitrarily decide who is and who isn't compliant at any given moment.

So you keep on doing your documentation and your testing processes (and you should, it's good practice), but if you think for a second your customers are somehow protected from Visa, Mastercard, etc in the event of a breach, you'd best think again. It's a shell game designed to ensure that whenever things go south, the payment brands are never the ones left holding the bag.

Comment: Re:SUV vs pickup (Score 1) 205

by swillden (#47503485) Attached to: New Toyota Helps You Yell At the Kids

An SUV does NOT fill the role of a pickup truck unless you don't actually need a pickup truck. You need a pickup when you are toting things that you do not want to carry in the interior of a vehicle like loose dirt, stone, certain bulky supplies, trash, etc. Messy stuff. Very bulky stuff. If you can put what you are likely to carry in an SUV then you don' t actually need a pickup.

An SUV plus a utility trailer does fill the role of a pickup truck.

Why would you "need" a commuter vehicle? The cost of any commuter vehicle is going to hugely outstrip any fuel savings you might possible generate.

The cost of a minivan plus a pickup plus the fuel to commute in the pickup is greater than the cost of an SUV plus a small sedan plus the fuel to commute in the sedan.

The two most common things in the Universe are hydrogen and stupidity. -- Harlan Ellison

Working...