Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
bob1029 5 hours ago

The institutional moats grow ever wider.

PCI-DSS still takes the cake for most oppressive rules out of all the compliance frameworks. The notion that your system might become "in-scope" is one of the scariest things you have to deal with. Avoiding this designation is almost always easier than satisfying all the controls they prescribe. Stripe & friends have it really good. I don't know who their equivalents are in the health care industry but I am certain they exist.

burnte 2 hours ago | parent | next [-]

> PCI-DSS still takes the cake for most oppressive rules out of all the compliance frameworks.

My personally most hated compliance ruleset. I've been in Healthcare for over a decade, I'm a HIPAA/data security expert, and PCI compliance is genuinely harder and more nonsensical than HIPAA.

And to be honest, for every ONE healthcare place I've seen that would fail a HIPAA audit, I've seen 20 companies that would fail PCI compliance and by a wider margin. The number one PCI issue I've seen *literally* everywhere is recording/writing down card numbers with CVV. It's strictly forbidden by the rules, and every snall and medium business breaks that rule constantly.

kstrauser 4 hours ago | parent | prev [-]

I despise PCI-DSS. A friend owns a small business and has a credit card reader. Due to that, we had to build out a separate LAN so that the reader is on its own precious network, and have to pay an external auditor for a quarterly scan of our external IP. Bullshit past findings were things like “your VPN server supports old encryption algorithms”. “But our clients don’t support them. They select the newer algorithms!” “But they could!” “What do you care? Those clients aren’t even on the same LAN as the scanner.” “PCI-DSS lol!” I have no way of knowing, but I bet the firewall might’ve accidentally blocked the scanning IP from reaching the VPN server port on the retest and called it a day, but surely not.

Basically, Visa and friends externalized their own shitty security and made every other company in the land responsible for wrapping their janky hardware in electronic bubble wrap. A real security framework would’ve said “don’t make a credit card scanner so weak that it can’t survive being on the same LAN as a printer”. Instead, the whole country has to waste billions of dollars mitigating that risk for them.

akerl_ 4 hours ago | parent | next [-]

> Bullshit past findings were things like “your VPN server supports old encryption algorithms”. “But our clients don’t support them. They select the newer algorithms!”

Given that downgrade attacks are a massive category of attacks for network protocols, and in fact modern protocols go to great lengths to make them impossible, that doesn’t sound very bullshit at all.

kstrauser 4 hours ago | parent [-]

If a client doesn’t support an algorithm, you can’t force a downgrade to it. A compensating control is that the clients are managed and only support the newest algorithms, and aren’t vulnerable to a downgrade attack.

Context is everything. Here, the context is that within this scan environment, it was, in fact, a bullshit finding.

unethical_ban an hour ago | parent | prev [-]

Why doesn't every bar with a POS system need a separate vlan for their register?

bob1029 an hour ago | parent [-]

If you process < 20k online transactions per year you can skip a lot of the requirements.