Comment Re:code review - PA-DSS required (Score 1) 244
Comment Re:The article draws weird conclusions. (Score 2, Informative) 220
Comment Re:The article draws weird conclusions. (Score 1) 220
Comment this was in his book (Score 2, Informative) 220
Comment Re:wasted? (Score 1) 196
An economic loss to who?
If you need to ask that, you don't understand the problem. Try reading up on the broken window fallacy.
If you need to ask that, perhaps you need to read up on this.
Obviously it is a small economical loss to the merchant, but it prevents much larger losses by others. This is called an externality.
Comment Re:The human factor (Score 1) 618
Comment Re:Holy shit (Score 1) 618
Comment Re:PCI-DSS certification is a joke (Score 1) 196
Comment Re:Well That Makes Sense (Score 2, Insightful) 196
If someone has told you that PCI requires using a 3rd party provider for public networks, you should get a second opinion. I have never seen that required or implemented.
Similarly, your firewall problem seems specific to your implementation. PCI requires firewalls between public networks and the cardholder data environment. Internal firewalls are not required, but are usually used to limit the scope of PCI. You don't want to make your CEO or secretary's computer PCI compliant, so you use firewalls to isolate only the systems in the cardholder data environment. You don't -have- to do this, but it makes things easier. I don't understand specifically what you mean by "a concentrated firewall and internet provider hub", but it does not sound like something required by PCI. Although it may have been a system designed by your organization to make compliance easier.
Comment Re:wasted? (Score 1) 196
PCI may be a loss for the merchant (cost of doing business), but an overall gain if it prevents loss to the card brands or consumers.
Comment Smartcards (Score 1) 332
This has driven down crime in the UK with their Chip and PIN system.
Here in the states, the industry is pushing ahead with encrypting magnetic stripe readers, but that still does not protect you if the attacker taps into the read head before it is encrypted.
I saw a device inside a gas pump in California two years ago. It was the size of a pack of gum, and made specifically to plug into the pump's cables. Small ICs, a pro job.
Comment Re:PCI compliant is meaningless? (Score 1) 68
And it's quite accurate: nothing can guarantee security.
FTFY. There is no perfect security. I don't know anyone that says PCI compliance guarantees you are secure. But it is an indication of the controls you have in place protecting cardholder data.
For instance, hiring a licensed, bonded plumber doesn't guarantee they won't screw something up. But your chances of a good outcome are a lot better.