On 28 Nov 2006 21:51:56 -0000, mr.nasty@ix.netcom.com
<mr.nasty@ix.netcom.com> wrote:
I can't help myself here but this type of idiocy kills me.
The reason for regulatory bodies is because there are those in the business who
can't seem to follow a set of guidelines to provide at least a basic level of
trust to keep their customers identity private. Now I don't want to get off on
a rant here but the opportunity is there.
I find Mr. Nasty's post kind of ironic.
The thread is about PCI/QSA/ASV which derives from a contractual
obligation rather than a regulatory (government) framework. I happen
to like PCI better than the regulatory frameworks because it isn't as
fuzzy (Shall we have a discussion about what "significant" means under
SOX?) and is getting less fuzzy with 1.1.
Nobody forces a company to submit to PCI. You choose to do it because
you desire to accept payment by credit card. It is a contractual
obligation. If you don't accept credit cards and you don't provide
services (within the PCI environment) to a company that does...then
you don't have to worry about PCI.
I agree with Erin that being an ASV would be useful if you are doing
vulnerability assessments and pentests. If you are in the auditing and
remediation arena then you will want QSA if you are dealing with
anyone accepting credit cards.
Just my 2 cents.
Dotzero
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
