Kevin and team look like they’re in for some cool fun here……….

http://www.matasano.com/log/699/did-idg-bet-1000-that-acunetix-cant-steal-credit-cards-from-random-websites/

http://www.acunetix.com/news/acunetix_reveals_data.htm

In regards to the figures…..not that far off the estimates that we discuss with clients. The Network World response highlights what we’ve said before….even people in the IT industry can be oblivious to the extent of the issues out there.

What’s the bet they’ve been working overtime on their site(s) security since the challenge went out. Even then, they’ll probably be found wanting.



I know I keeping harping upon PCI, but I really do believe we’re only just beginning to feel the impacts here in Australia and New Zealand (plus Asia Pacific). It’s going to get bigger! My recent post on this topic threw out a few questions and I have managed to get clarification on some of them, plus additional interesting little bits.

Keep in mind that the following is my take on things, though I reckon I am pretty close to how it is. My sources here are pretty good. Let me also re-state that I am very pro PCI DSS. We’ve never had anything like this in this region that impacts so much of the business world to this level – mandating good security controls and practices…….common sense things, I think we would all describe them as…..things that good security guys have been preaching for years …..things that generally don’t get a reaction from the business world to the levels they should until someone with authority and a big stick mandates it! Anyway, I ramble…..back to the point:

So are things clearer now? Is there a definitive message that clarifies it all for those impacted – in particular the merchants and services providers (M&SPs)? ……. Well it depends upon how you look at things.

The Visa Story

Visa maintains a softly softly approach as they have had seemingly from the outset.

Their focus has been, and will continue to be, in the short term on Tier 1 M&SPs. For Tiers 2 and 3 at present, they are focussed on awareness programs – “Hey guys…. this is important and you should get your heads around it ASAP because we’re going to expect it soon”.

There are no plans at present to levy fines on acquiring banks for non-compliance by M&SPs. (Fines that the banks can then pass through to M&SPs). The strategy is to promote compliance and its benefits while still setting deadlines.

They seem to be realistic in understanding the extent of impact upon organizations that PCI DSS compliance will have. So as long as Tier 1 M&SPs can demonstrate a commitment to compliance and a realistic roadmap (within reasonable timeframes), there won’t (at this stage), be a threat of fines for non-compliance. A slack or non-commitment by M&SPs will more than likely be met differently.

So, that means that things are pretty cool at present and companies shouldn’t worry too much? Hmmmm……….

The MasterCard Story

The Payment Card Industry is made up of other members and whilst Visa can take a position, should another member take another position on compliance, the M&SPs will be hit with the highest common denominator. (Does that make sense?)

MasterCard has the same well-intentioned end goal, but is at present taking a very different approach.

Their big focus has been on Tier 2 and 3 M&SPs becoming compliant while building awareness with the Tier 1s – taking the position that such an undertaking will/may be huge for those organizations that fall into that category and thus they need extra time.

Aside from this difference, MasterCard has also started to levy fines (to my knowledge) on the acquiring banks. The reasoning; the banks have had plenty of notice now – earlier compliance deadlines such as 30 June, 2005 have long passed….they have been more than lenient and now it’s time for action otherwise how long will this go on for?

Some Questions:

1. Why are some/many M&SPs only just being told what they need to do in regards to PCI DSS compliance?
2. Why are threats of fines already being mentioned to these guys for non-compliance with PCI DSS within relatively unrealistic deadlines ie; like months?
3. Are some M&SPs going to “pay” due to a lack of appropriate and timely action to date from some acquiring banks?
4. Who is accountable (ie; who should pay the fines) for non-compliance in such scenarios? (I know where I am swaying on that).

Posted in: PCI, PCI DSS


Never have a I seen such a reaction ….. …..A certain techo in the team backed away like he had seen a spider…..really.

I convinced him that it wouldn’t bite, and after a while, he even booted it up, looked around, showed me how cool it was to view open windows in a 3d like view and just as I thought things were okay, he proceeded to trash the operating system and install something else. :-)

Posted in: Uncategorized


I’m waiting on some responses from PCI members at present but it has been a few days since I threw a few things out there …….and there’s a few things we’re trying to cover:

1. Why have fines started being imposed by some members of the PCI when it was hoped that the big stick would be put aside for a while as long as organisations could demonstrate a commitment to compliance (through roadmaps etc).
2. Will fines encourage compliance or:
- BS responses (discussed previously in this blog)?
- Organisations willing to pay the fine and stuff the compliance work?
3. How are some QSAs able to complete an onsite Audit in a few days and pass a Tier 1, when others quote a minimum of 3 weeks? (not including re-audits because issues are holding back compliance?) I’ll give ya the tip – I’d bet my house on being able to rip apart a clean Report on Compliance delivered in 3-4 days by some “BIG” guys. (Now which one is the mainframe? :-)
4. Related to the previous question – why is that many QSAs themselves don’t understand what falls into scope and what does not, in relation to PCI DSS compliance? If many QSAs struggle themselves, it amazes that so many SAQs undertaken by merchants themselves come back as “compliant”. How?
5. Is there inconsistent messages being passed down from the Acquiring banks?

There are still so many questions around PCI that need to be addressed, clarified, etc etc. It’s a good thing but it needs some work! Hopefully we’ll get some responses and share here.

Posted in: PCI, PCI DSS




The Star Wars brigade has united as one in defence of their nerdism. Seems even nerds want to distance themselves from the vista fanboys.

The Brain of Wade has led the charge – http://blog.wi.id.au/2007/02/03/are-vista-fanboys-starwars-nerds-leave-a-comment/.

And who could blame them! I have been taught a valuable lesson in all this experience, and never again shall I lump all nerds into one basket.

Posted in: Uncategorized


Just to prove most pundits and analysts are correct….another dude who’s decided to write about our small, little company:

http://www.demo.com/demoletter/report_from_down_under.php
http://wistechnology.com/article.php?id=3316

But then again, those who matter, know this already……. :-)

Send POs at your pleasure………………………

Posted in: Uncategorized


Why Why Why would anyone line up at a department store at midnight to be one of the first to buy an operating system?

http://www.computerworld.com.au/index.php/id;295073968

Should the cops have been hanging outside to book these geeks as they speed home to install it? Then again, I reckon mum and dad were in the car outside waiting to take their 30 year old computer “guru” home so maybe not. Same dudes who probably lined up for Star Wars movie tickets while the rest of us just booked them on the net or over the phone. Maybe I’m just getting old or maybe I’m just still too cool for all this stuff……. :-)

That’s all …………

Posted in: Uncategorized