tag:blogger.com,1999:blog-11966278.post2523731630555391881..comments2009-01-22T09:43:14.165+11:00Chris Gatfordhttp://www.blogger.com/profile/01617397637143599994Chris@penetrationtester.comBlogger5125tag:blogger.com,1999:blog-11966278.post-46029242688999247632009-01-21T22:32:00.000+11:002009-01-21T22:32:00.000+11:00just sending out invites to 60 odd people tomorrow for a PCI-DSS event, will see what response is like. I helped make the 1st Level 1 service providerin Aust. compliant. I know of one association who is compliant.Matthew Hacklinghttp://www.blogger.com/profile/12211732838162218259noreply@blogger.comtag:blogger.com,1999:blog-11966278.post-70321246501241840032008-08-14T09:07:00.000+10:002008-08-14T09:07:00.000+10:00I just read your comments on PCI. In my line of work, we perform external audits and I am amazed at the number of IT managers in the finance industry who have little knowledge of PCI. Education seems to be severely lacking in Australia.Steve Atchesonnoreply@blogger.comtag:blogger.com,1999:blog-11966278.post-89613153859556833202008-07-28T16:51:00.000+10:002008-07-28T16:51:00.000+10:00The banks have been the main reason in my opinion for the slack uptake. Some have done it well, others far less so - some have barely begun! Have been in the middle of drafting a post about this for while with one of the points being; <BR/><BR/>"Communication of compliance requirements to organisations, is in my opinion, the reason why PCI DSS compliance in Australia lags well behind the US. While the Payment Card brands are steadfast in their position about PCI DSS compliance, at the Acquirer level, things change dramatically and depending upon who the organisation’s Acquirer is, determines how aware of, and how seriously PCI DSS compliance requirements are acknowledged and understood by the organisation. Thus, two similar organisations in the same sector having differing views of, and approaches to PCI DSS compliance. <BR/><BR/>Incentive is the driver for any action. If there is no clear incentive – whether a positive or negative incentive (eg; fines for non-compliance), an organisation is not going to do anything. Why would you? If the obvious incentive to be more secure is not clearly evident as a reason to move towards PCI DSS compliance, then it's a tough sell." <BR/><BR/>Re: fines - if one bank is passing on the fines and another isn't, the inconsistency is going to be to the detriment of advancing the program as a whole - potentially even making it go backwards.<BR/><BR/>End of the day, many companies believe they are too important to the banks and thus can do what they like. Are they really big enough for the payment card brands to make an exception for them? :-)<BR/><BR/>I've met a couple also and there's not much you and I can do aside from ensuring we've fully briefed them on the consequences.Drazen Drazicwww.beastorbuddha.comnoreply@blogger.comtag:blogger.com,1999:blog-11966278.post-69455274171612094372008-07-23T12:13:00.000+10:002008-07-23T12:13:00.000+10:00Yes trust me I pushed the all the extra costs. But to no avail I guess that the people making the decision just wanted the immediate problem to go away. Hence they really don't care about having a secure environment. Shame really lets hope that the Banks get more serious and hand out bigger fines to force these companies to take action ...or a major major hack to shake up Australian companies.Chris Gatfordhttp://www.blogger.com/profile/01617397637143599994noreply@blogger.comtag:blogger.com,1999:blog-11966278.post-80342645618429688132008-07-19T16:52:00.000+10:002008-07-19T16:52:00.000+10:00Chris, the fines are nothing as you mention but what needs to be communicated to those organisations is that the cost of a breach and that organisation not having "safe harbour" is going to cost a lot more. We're talking in the millions now eg; TJX, Hannaford etc.(Not even talking reputational damage).<BR/><BR/>In Australia, PCI DSS has a long way to go!Drazen Drazicnoreply@blogger.com