Comments on: PCI and Social Proof http://spiresecurity.com/?p=100 Risk and Cybersecurity Analysis Wed, 21 Aug 2013 23:28:51 +0000 hourly 1 http://wordpress.org/?v=3.5.1 By: Anton Chuvakin http://spiresecurity.com/?p=100&cpage=1#comment-89 Anton Chuvakin Mon, 09 Feb 2009 18:07:06 +0000 http://spiresecurity.com/blog/?p=100#comment-89 OK, that makes sense actually; on any curve we’d always have a large # of co which are way, way below PCI DSS standard.

]]> By: Pete http://spiresecurity.com/?p=100&cpage=1#comment-88 Pete Mon, 02 Feb 2009 18:41:45 +0000 http://spiresecurity.com/blog/?p=100#comment-88 @Anton -

Those folks are “below the mean” and when told (for example) that x thousand organizations are PCI compliant, should work to become compliant as well.

In any case, this came up because we know PCI-compliant companies are still hit with incidents and so in some respects PCI is not sufficient (we knew that, but tend to forget often). So, for these orgs, they are already compliant.

]]> By: Anton Chuvakin http://spiresecurity.com/?p=100&cpage=1#comment-87 Anton Chuvakin Mon, 02 Feb 2009 17:11:15 +0000 http://spiresecurity.com/blog/?p=100#comment-87 One logical flaw here: “the “goal” of being PCI-compliant the social norm …”

If you look at small to large orgs, you’d notice that PCI is STILL (!) way, way ABOVE many organizations level of security.

We think of it as “the minimum”, they think about as “WAY too much!” :-(

]]>