@attritionorg Scope is not about security, it is about getting to the point where you can do something practical
-
-
@attritionorg Yep agreed. But Then so is SOX, HIPAA, etc. Something you have to do, only other option is not accept payment -
@sec_prof I understand why PCI compliant. Just wish every single company admitted that is the reason. Not because it adds real security. -
@attritionorg To that we totally agree. Most do it because they have to, and to check the box
End of conversation
New conversation -
-
-
@attritionorg the focus of the paper is consistent scoping decisions. It has nothing to do with security per se. -
@sec_prof Once again. PCI scope is always, 100% of the time, considerably smaller than an attacker's scope. -
@attritionorg I disagree. If the PAN is the target, then any system an attacker would go after would fall into scope. Hard to explain in 140
End of conversation
New conversation -
-
-
@attritionorg@darkuncle agreed, but I am saying InfoSec can use PCI as a tool to implement "reasonable defense" /cc@hrbrmstr -
@sec_prof@attritionorg@darkuncle very rarely. I just did a saq and built a new PCI environment. I built it with a mindset of a pentestr -
@jadedsecurity I am in similar boat. I am full public cloud though. Did a blog on it. -
@sec_prof I saw it. I'm not sure public cloud is still a good idea as card is in memory at one point -
@jadedsecurity public cloud was only option. We do not own servers. We are "all in" when it comes to public cloud. -
@sec_prof which is fine as long as you are heavy in application controls or dedicated hosted systems
End of conversation
New conversation -
-
-
@attritionorg@sec_prof@darkuncle corporate culture documented.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@attritionorg@sec_prof even if you are PCI complaint you are still liable for lots of 1st party costs, ie: notification, replace CCs, etcThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.