Monday, May 12, 2008

Why PCI DSS is doomed.

Too much fun in the news to pass up on today.
First, the press release from McAfee indicating the obvious re-branding of McAfee Hacker Safe to McAfee Secure for Web Sites. Oh yes, dear friends, McAfee delivers the secure internet. The profound and deeply flawed arrogance continues, with a new name.
Rafal Los has already torn into this one, so I'll let you get the goods there, but after reading further I saw this gem:

Yep, full steam ahead. Now your credit cards are really going to be safe.

As you may know the previously vague PCI DSS 6.6 language has been made even more elusive with such useful language as:
"Keeping in mind that the objective of Requirement 6.6 is to prevent exploitation of common vulnerabilities (such as those listed in Requirement 6.5), several possible solutions may be considered. They are dynamic and pro-active, requiring the specific initiation of a manual or automated process. Properly implemented, one or more of these four alternatives could meet the intent of Option 1 and provide the minimum level of protection against common web application threats."
Such strong assertions: possible, may, could. We wouldn't want to actually commit, would we?
As if all of this wasn't enough, along comes the PCI mastery of the PCI Blog - Compliance Demystified, from
You'll get a 404 now, but here's the cached page.
Yep, a QSA actually debating the merits of ScanlessPCI.
"From what we can ascertain, is just a scam."
Really? We weren't sure.
"The larger concern is the fact that they require you to insert code into your Web site to get a copy of their certificate. Since you are inserting code into your Web page for a GIF, it is anyone’s guess as to whether or not they are hacking your site at the same time they are supposedly protecting it."
Oh, scary. Common, guys. I think you should insert this picture on your website. Then your customers can feel truly confident in your services. Man, my ribs still hurt from laughing. | digg


Anonymous said...

Please call or email me directly if you have questions about any post on

My phone number and email address are posted on the site. I find it offensive that you didn't bother to call and identify the reason for anything happening on our site.

Rafal Los said...

Mike - you find it offensive? I find it offensive that Jeff Hall is debating the merits of a FAKE PCI SPOOF site seriously with himself.

Get over it, at least you guys had enough sense to pull the post.

Mike Rothman said...

As opposed to admitting they'd been duped, decided to pull the post down. Thus, they are fair game for all the ridicule that goes for falling for ScanlessPCI.

I think they should have poked a little fun at themselves, as opposed to pulling the post down. It's not like Google ever forgets...

But alas, far too many security types take themselves far too seriously.

Mike Rothman

Unknown said...

They would've gotten away with it too, had it not been for you meddling kids.


Anonymous said...

I'd like to thank Russ McRee for alerting me to this issue and contacting me directly. I appreciate his openness and interest in promoting positive conversations.

Moving blog to

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...