Andrew, I agree that there needs to be more good sites out there to get info on PCI/DSS but I have to come to the defense of the SCC. I know that you didn't "attack" but I went back and looked at your question and I think I know why more people (including myself) didn't post a reply. You were asking questions that were of a specific nature and most of the guys in the SCC are pretty quiet about giving specifics of their environments. I know that I won't give those details even if they are pretty basic I am not in the habit of giving out details. If I do start I may say something later that I wish I hadn't.
Thanks for commenting and yep, got that entirely. However, I thought my question was general enough to not concern people about answering but I'll accept that the subject matter itself is somewhat sensitive. I find this interesting as it will help me tailor my questioning style in future.
I'm certainly not knocking the Catalyst community, I think it’s great but it appears to display similar low levels of PCI DSS interest to other sites and matches my thoughts on lack of PCI DSS focus.
I’m still unsure why it is the case but as I said, maybe it’s because PCI DSS is considered “just another compliance requirement”. After all, the PCI DSS requirements are pretty standard stuff and anyone with a half decent Security Programme should be covering most of the content anyway.
In theory.
Andrew -
Interesting post. I find it interesting, indeed... and notice that people have the same reaction to FISMA, GLBA, HIPAA (especially now that the deadlines passed).
I'm not sure if people are overwhelmed, underwhelmed, misinformed or what.
I'll go back to check your question to determine if I have any credible insight to share. Heck, even if I don't, I'll see if I can muster some insights.
I see the "solution," if you will, as focusing less on specifics and more on an inclusive approach to help people understand in more natural ways.
Mike,
Thanks for the comment and to be fair, Andy ITGuy makes a good point about confidentiality in his reply.
That said, the original post over on the Security Catalyst Community was more generic in nature but with a PCI title. It would be interesting (but now impossible) to see if more responses would have been made if the title did not include reference to PCI DSS.
Andrew,
Thanks for your blog, and thanks for your comment about the lack of info generally available. I agree, which is why...
As of today, there is another PCI DSS blog site: www.treasuryinstitute.org/blog. Although this one is designed specifically for the Higher Education community, any and all are welcome.
Full disclosure: I helped create it and am co-editor. Our goal is to help colleges and universities with their open networks and tight budgets cope with PCI compliance. Collaboration is a hallmark of this industry, and I know it will work with PCI, too.
As a consultant who works with schools, I see many of the same challenges faced by retailers and other businesses. We are hoping to be a voice -- and an ear -- for the Higher Ed community/merchant segment to the Security Standards Council.
Welcome Walt, glad to have you here.
I've had a quick look at your blog and it already has some interesting stuff on it, I'll look in greater detail ASAP.
On the collaboration front, have a look at the Security Catalyst Community at http://community.securitycatalyst.com which may be of interest to you. It is a forum based community and has a specific forum for "Security in Education".
Thanks again for the comment and I've added treasuryinstitute to my Bloglines account.
Andrew,
Thanks for the kind thoughts, and thanks, too, for swinging by the blog and making comments. Everyone appreciates your insights. (And I know at least someone is reading mine...!)
I'll check out the Security Catalyst site.
No worries. I should have said (if I didn't before) you should also look at www.pcianswers.com for loads of PCI DSS related info.
Re: PCIAnswers...I agree. I went to a training session Michael ran. It and he were very informative. It and the Forum are great resources.
It seems to me that PCIAnswers is the one place where everyone stops off, mainly due to Mike's profile in the US.
According to the FireStats on WordPress we had 307 unique visitors in the last 24 hours, but over 25000 in total since the site started up. That's quite a large proportion of "security people" focused on PCI, probably all of them in fact!
You have to remember we're aiming at quite a specialised segment, and whereas it might be a huge part of our worlds, it's not a whole hill of beans to a lot of others.
The fact is, if you do a search on PCI DSS in Google, we don't even show up on the first page. Maybe we need to do some optimisation?
Yes, PCI Answers is definitely "where it's at". And the figures you give just go to show how crud my blog is because I don't anywhere near that many!!!!!!
Regarding your statement about PCI DSS not being that big a deal to a lot of people, I'm not sure I accept this as PCI DSS impacts any and every organisation that captures, stores and processes card details either on or offline. My take is that there are sufficient numbers of such organisations for PCI DSS to have a higher profile.
That said, as we know, apart from the US and the UK, no one else (definitely not Spain!!) appears to be being targeted by the card associations to get compliant.
Maybe we're ahead of the game and our plan for European domination in the next few years has merit!!!!
Dear colleagues,
I would like to inform you that on September 2007 we released an updated version of PTA Professional Edition (1.54 - build 1201) with major usability improvements. The latest version fully supports the PCI DSS 1.1 standard.
PTA – Practical Threat Analysis - is a quantitative method and a software tool that enables you to model the security perimeter of you business, identify threats on an asset-by-asset basis and evaluate the overall risk to the system. The risk level, potential damage and countermeasures required are all presented in real financial values. PTA calculates the level of risk and the available mitigation. It advises on the most cost-effective way to mitigate threats and reduce the risk.
PTA is free-of-charge for students, researchers, software developers and independent security consultants. You are invited to review the latest version's new features and download a free copy of the software from the following link:
http://www.ptatechnologies.com
PTA fully supports the PCI DSS 1.1 standard. Download a free PTA for PCI DSS security library from the following url:
http://www.ptatechnologies.com/?
...ction=documents
Feel free to introduce PTA to your professional colleagues - it is our contribution to the security community. I'll be happy to have your comments and answer your questions on any issue.
Regards,
Zeev Solomonik
R&D - PTA Technologies
http://www.ptatechnologies.com
zeev_at_ptatechnologies_dot_com
http://www.ptatechnologies.com
As of this comment we have over 450 users of the online forum (http://forum.aegenis.com/) and get about 1,000 hits/day to the PCI Answers blog (http://pcianswers.com/). Considering the number of people globally involved in PCI DSS compliance this is a good percentage.
Dear Sir
We are a publishing company based in the UK with books registered for Worldwide use and currently have a new book on PCI DSS: A Practical Guide to Implementation in both soft cover and e-book format.
We also have some information on our website around PCI DSS at http://www.itgovernance.co.uk/pc...uk/
pci_dss.aspx
Regards
Thanks for the information.
Commenting by HaloScan
