Thanks for posting, I had to skim a lot of replies before finding some informed opinions.

PA-DSS (a PCI standard) requires code review by someone other than the original author, who has training in secure coding practices.

I'm not saying it proves it was a spy front or not. I'm saying you are drawing conclusions based on incomplete information. If you are interested, perhaps you want to read more about it in his book.

FWIW, there is more to it than having eggs, this is just a quote. As I recall, they were selling the eggs below cost, and there were other signs it was not a normal restaurant.

The black egg anecdote was in Ira's 2005 book, 'Spies Among Us', which I do not recommend except for some of the stories like that.

If you need to ask that, perhaps you need to read up on this.

Obviously it is a small economical loss to the merchant, but it prevents much larger losses by others. This is called an externality.

If you haven't seen people doing degrading things (presumably for money) on the Internet, you haven't surfed far, or your definition of 'degraded' is an outlier. I don't think anyone in this discussion would feel differently if it was gay porn, so I'm not sure how hypocrisy or misogyny come in to it.

My neighbors leave their wifi open. Any suggestions on limiting access to this? Aside from tinfoil wall paper. I have an extra WAP, is there a wifi jamming utility?

I know level 1 merchants and service providers that are using virtualization. You may want to look into that further.

I think you have some misconceptions about PCI. "At best", I have seen PCI make companies improve firewall rules, secure WLANs, and encrypt your plaintext credit card numbers (for starters).

If someone has told you that PCI requires using a 3rd party provider for public networks, you should get a second opinion. I have never seen that required or implemented.

Similarly, your firewall problem seems specific to your implementation. PCI requires firewalls between public networks and the cardholder data environment. Internal firewalls are not required, but are usually used to limit the scope of PCI. You don't want to make your CEO or secretary's computer PCI compliant, so you use firewalls to isolate only the systems in the cardholder data environment. You don't -have- to do this, but it makes things easier. I don't understand specifically what you mean by "a concentrated firewall and internet provider hub", but it does not sound like something required by PCI. Although it may have been a system designed by your organization to make compliance easier.

An economic loss to who? In the past, some merchants have not had firewalls and sent cardholder data over FTP on the Internet, because it was 'too expensive' to do otherwise.

PCI may be a loss for the merchant (cost of doing business), but an overall gain if it prevents loss to the card brands or consumers.

The problem is the entire infrastructure that pretends certain data is secret (PAN, track, CVV2), but makes you provide it to everyone for a purchase. The answer is to use smartcards, so that even if they intercept the data, they can't use it for purchases. We have strong systems, if they will just deploy them.

This has driven down crime in the UK with their Chip and PIN system.

Here in the states, the industry is pushing ahead with encrypting magnetic stripe readers, but that still does not protect you if the attacker taps into the read head before it is encrypted.

I saw a device inside a gas pump in California two years ago. It was the size of a pack of gum, and made specifically to plug into the pump's cables. Small ICs, a pro job.

FTFY. There is no perfect security. I don't know anyone that says PCI compliance guarantees you are secure. But it is an indication of the controls you have in place protecting cardholder data.

For instance, hiring a licensed, bonded plumber doesn't guarantee they won't screw something up. But your chances of a good outcome are a lot better.

Also: Make sure your PIN is only 4 digits, some places do not accept longer PINs.

That is close to militant agnostic: "I don't know and you don't either."