dailyinfosec has grown sensationally. We really want it to be the best news site on the Net. We’re getting there! But keen on your thoughts…..

Keen on your thoughts or hit the SA Website and click on the poll.

SearchSecurity reports on Visa’s push for PCI Compliance.

Finally, some figures that look almost realistic. You can take these figures to really mean that 60%+ of these businesses do not have good basic security controls in place. Let’s be realistic….as much as PCI has copped criticism, it’s really doing no more than stating, these are good security practices – nothing overly fancy – you should be deploying them.

Even companies who don’t fall in under the PCI program should have a look at the PCI DSS and see how they compare. Is the standard definitive? No…but its one of the better ones out there in the public arena. Would we base a whole state of security review around the PCI DSS Checklist? No way, but we’d certainly make sure that we’d covered the requirements at a minimum and then added our additional checks. But hey, we’re like that! :-)

The linked story goes on to state; “For example, a security lapse flagged by one auditor may not be considered an issue by another”…………”Clearly there needs to be more consistency between the way assessors interpret the requirements,” Adams said.”

COULD NOT AGREE MORE!! But you can’t always blame the standard itself. While there are grey areas in terms of interpretation that does not forgive basic incompetencies…..QSAs need to accept blame where it surely rests with them.

We’re generally pretty close to time estimations on our jobs for clients. Sour grapes – we’ve lost 2 recent bids for Tier 1 Onsite Audits. I don’t stress it too much, because we can’t compete and, nor do we want to compete in scenarios where we have quoted 30 days and get beaten by someone quoting 5 days. Let’s be honest, for most companies, PCI is a pain – they want the tick in the box and to forget it for another year. It’s the classic case of compliance going one way and security the other. Why would you want Security-Assessment.com poking around finding bad stuff for 30 days when you could get a Big guy in for 5 and you know you’ll probably do quite well?

We had a call from a Tier 1 (service provider) a couple of months ago. The Big guy who did their Onsite Audit last year is no longer in the game, so they were looking for a new QSA for this years audit. Somehow, Big guy pulled this audit off in 4 days last year and passed them! We were told in no uncertain terms that should we be hired, they would expect the job done in a similar time and they “expected to be passed!” ………Bull to a red rag……….We sized the job, quoted 3-4 weeks and stressed we’d really rip it up – finding EVERYTHING! :-) Needless to say, we never heard from them again. So yeah, quotes like that talking about QSA inconsistencies are pretty much on the ball.