Comments on: My reply to Bejtlich on DRM and PCI Requirements http://www.bloginfosec.com/2007/06/13/my-reply-to-bejtlich-on-drm-and-pci-requirements/ An Information Security Magazine in a Blog Format Mon, 30 Jan 2012 11:01:25 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Kenneth F. Belva http://www.bloginfosec.com/2007/06/13/my-reply-to-bejtlich-on-drm-and-pci-requirements/comment-page-1/#comment-92 Kenneth F. Belva Wed, 13 Jun 2007 22:15:51 +0000 http://www.bloginfosec.com/2007/06/13/my-reply-to-bejtlich-on-drm-and-pci-requirements/#comment-92 Hi B.K. DeLong, Our paper does not argue against the validity of PCI. Our paper deals with whether or not security mechanisms may be used as enabling mechanisms. In our paper we argue they can and we cite examples of how security enables processes, hence the apple DRM example. Richard was arguing against the enablement perspective by saying that PCI compliance does not contribute to the bottom line and it does not have a ROI. Sincerely, Ken Hi B.K. DeLong,

Our paper does not argue against the validity of PCI. Our paper deals with whether or not security mechanisms may be used as enabling mechanisms.

In our paper we argue they can and we cite examples of how security enables processes, hence the apple DRM example.

Richard was arguing against the enablement perspective by saying that PCI compliance does not contribute to the bottom line and it does not have a ROI.

Sincerely,
Ken

]]> By: Richard Bejtlich http://www.bloginfosec.com/2007/06/13/my-reply-to-bejtlich-on-drm-and-pci-requirements/comment-page-1/#comment-91 Richard Bejtlich Wed, 13 Jun 2007 18:06:20 +0000 http://www.bloginfosec.com/2007/06/13/my-reply-to-bejtlich-on-drm-and-pci-requirements/#comment-91 Hi Ken, Thanks for your answer. I think security is only *appreciated* "when something happens". A world without security would be no world at all. Hi Ken,

Thanks for your answer. I think security is only *appreciated* “when something happens”. A world without security would be no world at all.

]]> By: B.K. DeLong http://www.bloginfosec.com/2007/06/13/my-reply-to-bejtlich-on-drm-and-pci-requirements/comment-page-1/#comment-90 B.K. DeLong Wed, 13 Jun 2007 15:18:42 +0000 http://www.bloginfosec.com/2007/06/13/my-reply-to-bejtlich-on-drm-and-pci-requirements/#comment-90 Interesting - while PCI may not directly boost the bottom line, lack of compliance could hurt it. Very much. Not only is the PCI Consortium actively fining those not in compliance, (some companies are choosing to take the hit), but they are now removing repeat offenders' ability to process cards for long periods of time. The problem is because the fines and the rights revocation is a private relationship between a credit card company and a vendor, the PCI Consortium is not publicly disclosing the information about them. Thus a) consumers don't know who is being deemed insecure and b) vendors don't realize that the PCI co *is* taking action against those not in compliance. Interesting – while PCI may not directly boost the bottom line, lack of compliance could hurt it. Very much.

Not only is the PCI Consortium actively fining those not in compliance, (some companies are choosing to take the hit), but they are now removing repeat offenders’ ability to process cards for long periods of time.

The problem is because the fines and the rights revocation is a private relationship between a credit card company and a vendor, the PCI Consortium is not publicly disclosing the information about them. Thus a) consumers don’t know who is being deemed insecure and b) vendors don’t realize that the PCI co *is* taking action against those not in compliance.

]]>