FOAK: An interesting little challenge

No
chris at systemlabs dot co dot uk will be though. TIA

--
Catman MIB#14 SKoGA#6 TEAR#4 BOTAFOF#38 Apostle#21 COSOC#3
Tyger, Tyger Burning Bright (Remove rust to reply)
116 Giulietta 3.0l Sprint 1.7 GTV TS GT 3.2 V6
Triumph Sprint ST 1050: It's blue, see.
#www.cuore-sportivo.co.uk

 

It'll make a change from being cryptic.

--
Catman MIB#14 SKoGA#6 TEAR#4 BOTAFOF#38 Apostle#21 COSOC#3
Tyger, Tyger Burning Bright (Remove rust to reply)
116 Giulietta 3.0l Sprint 1.7 GTV TS GT 3.2 V6
Triumph Sprint ST 1050: It's blue, see.
#www.cuore-sportivo.co.uk

 

Yes, ish, although the devil is in the detail. Hence the eager
anticipation of any compliance meetings.

 

Think of a mobile phone company that's just split into two. I work for the
other part. Which works.

 

Or a few high-profile data loss incidents and associated penalties from
the payment processors. Not to mention the bad press - the media are
latching on to this shit big time. Over here, anyway.

Well, kinda.

But strong encryption with no practical way of eavesdropping or
decrypting in situ is in itself (pretty much) enough to make a device
compliant.

Your network devices, for example don't have to be particularly
compliant if they only carry SSL-encrypted traffic. And if the card
details are stored in a manner that means they can't be unencrypted
using any keys stored on (or accessible on) the same box, that box may
already pretty much be compliant. The trick is to isolate the devices
that have access to card details and focus the attention on those. The
rest of the platform can be as ropey as you like, as far as PCI's
concerned, anyway.

So if it's not worth the effort they should be offloading the card
processing to a payment gateway (Paypal, Worldpay, whatever), not doing
it themselves. Save themself a world of arse-ache and expense.

 

Best practice costs money. Go figure.

 

I am the SWK.

 

Interesting that you think your company has skills in that area, that's
not quite what I've been hearing and I know that you're not being
considered by this particular vendor for deals on that basis.

 

Like that's ever happened to you.

 

I dunno, it pays the bills and keeps the garage stocked with toys.

In the land of the blind, outsource it to me, the one-eyed man!

 

heh. MWHID.

 

Heh, good summary. The travelling sucks though, Stockport on Wednesday
followed by a trip back to a client in the city on Thursday.

 

That's parenthood, that is. No "But I haven't done this before"
excuses tolerated. No manual, either, nor time for due consideration
or even googling allowed. Advance as one sees fit, fingers firmly
crossed.

 

Try a google on "Caldera International" they purchased the UNIX stuff
from The Santa Cruz Operation.

 

Mike Buckley wibbled forthrightly:

Oh we do have the skills, that's for sure (we inherited quite a few
from our acquisition of AirDefense a couple of years ago). To be fair
though, we don't certify customers for PCI compliance but we help them
get up to spec for certification. The main reason is, that we're on the
PCI committee.

 

Then changed their name to SCO after buying the unix stuff from old SCO.
(What's left of them now go by the name Tarrentella.)

Then started trying to sue IBM for putting unix code into the linux kernel
and trying to charge people protection money so they wouldn't be sued for
using linux.

Thus began the 10 year long deathspiral.
SCO is dead in all respects now, I think even the rats have left the sinking
ship at this point in time. They even lost their "rights" to Unix (novell).

The IBM trial never did complete. Didn't seem much point until the novell
one finished by which time the company wasn't worth the paper the shares
were printed on. I think there might be still a few lawyers fighting over
the scraps though.

 

Pikey company you work for ....