- Payment processing company (Heartland) had a breach, leaking thousands of credit card information
- Heartland's CEO complains that they went through the regular PCI-DSS audit and the QSA had not pointed out the issues related to the breach
- Security industry goes mad about his complaints: "compliance is not security", "compliant at that time doesn't mean always compliant", "PCI-DSS is just a set of minimum requirements", the QSA report is just information based on their own honesty, etc, etc, and finally, "he should know all that".
Thursday, August 20, 2009
Robert Carr, PCI, QSAs...
I tried to resist posting about this last discussion. For those who are not aware of it, a very quick overview: