undefined | Better HN

0 pointskbenson9y ago0 comments

In some respect, there's been a level of insurance like requirements for some segments. PCI DSS. It's been a decade of so since I had to deal with it, but the requirements were for the most part no nonsense good practices, and instituted a base level of security that was good. Separated DB and application servers. Specific SQL access credentials. Firewalls with pinhole access. Restricted network access for some server roles.

I'm pretty sure this is required because the card industry can't insure against risk accurately without a base level of assurance that your company isn't some fly-by-night IT hellhole. The same concept would likely apply towards any security insurance that was put forth. You would need to certify that certain steps had been taken, and certain future actions would not be taken, for it to be valid.

0 comments

2 comments · 1 top-level

CaptSpify9y ago· 1 in thread

The problem I had with PCI DSS is that you could check the boxes and if you are never audited, you don't actually have to fix those problems. I worked for a place that ran that way for ~3 years.

kbensonOP9y ago

Yeah, it is a sort of honor system, but I'm sure if you were hacked, and they see you aren't compliant, it won't go well for you. The fines get steep fairly quick[1][2]. Considering it mentions you might be charged $50-$90 per card even if you are compliant. Although I think those are actually fees for the issuers, I can't imagine they don't have a way to pass then along to merchants.

1: http://www.focusonpci.com/site/index.php/pci-101/pci-noncomp...

2: https://www.pcicomplianceguide.org/pci-faqs-2/#15

j / k navigate · click thread line to collapse