Securosis is Now PCI Certified
I was talking with Jeremiah Grossman out at the SOURCE Conference in Boston, lamenting the state of PCI certification. Although ASVs continue to drop their rates and reduce the requirements for compliance by issuing exceptions, it’s still a costly and intrusive process. Sure, pretty much anyone who signs up and completes payment achieves certification, but adoption rates are still low and only a fraction of the retail community, especially the online community, is compliant.
That’s why I got excited when I heard about Scanless PCI. They claim to use a patent-pending technique (doesn’t everyone) to certify merchants with no setup and no technology changes. The best part? It’s free. As in beer. Absolutely free. Free PCI certification? I don’t get the business model, but after evaluating the technology with Jeremiah and Robert Hansen (Rsnake) I’m convinced it works. If the top 2 web application security guys sign off on it, I’m all in.
Sounded too good to be true so I investigated their website. To my amazement I left the site completely convinced that their offering is every bit as effective at stopping hackers as other ASVs we’ve discussed here in the past. Their process was so straight forward I figured there was no excuse for my blog not to be PCI Certified as well. Check out the right side column, compliance was zip zap!
I’m sold, and Securosis is now PCI compliant!
Technorati Tags: PCI
Amrit Apr 1
I have seen similar technologies used to great effect when I was in college. Essentially the rampant increase in STD’s drove the need for a method to determine if a potential partner was “clean” from infection. Sure enough it wasn’t long before free T-shirts, with the phrase “Certified no STD’s”, were seen all over campus. It was like the free-wheeling, free-loving 60’s some of us read about and wished we could have been alive to participate in - a world that was totally secure from STD’s, a dream, I think not…
rybolov Apr 1
I knew it was just a matter of time until you imploded under the industry pressure that PCI non-compliance brings.
Glad you came out from the cold and joined the first world yet again.
Onn Chee Apr 2
This is obviously a April Fool’s joke….
Rob Newby Apr 3
Registrant:
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: SCANLESSPCI.COM
Created on: 01-Apr-08
Expires on: 01-Apr-09
Last Updated on: 01-Apr-08
Hmm… I smell a rat.
Sharon Apr 4
I was looking for a catch and could not find one. If it was a joke, i could not understand it. But then, one of my colleagues suggested the following explanation: “The joke is that they guarantee it provides as much protection as any other PCI scanning solution…meaning that the authors feel that PCI scanning provides zero protection.”
I could not find their contact information.
Rob Newby Apr 4
Um, close enough Sharon.
That and the fact that if Rich, Jeremiah and RSnake all say something’s good, everyone else just says, “ooh, that bandwagon looks shiny” and jumps on it.
But basically it’s a joke, the point of ASVs is that they need to scan, that’s kind of what the S stands for. You can’t have scanless scans. The bit about offering as much protection as other ASVs and “Sure, pretty much anyone who signs up and completes payment achieves certification” is just Rich’s dry sense of humor.
Maybe this gag was a little too subtle for those outside the security field?