On Wed, Apr 9, 2014 at 2:11 PM, Stephen John Smoogen <[log in to unmask]> wrote:
>
> On 9 April 2014 11:17, David Sommerseth <[log in to unmask]>

>> Really!?  I've been involved in a few PCI-DSS certification rounds for a
>> company which provided online payment services back in the days.
>> Granted that's some years ago now (2005 to 2008-ish).  Even though our
>> scope was limited to only processing credit card information, we did not
>> see any requirements anywhere at that time for the shopping cart to be
>> PCI-DSS certified.

Don't forget the commonplace flat-out lying in PCI-DSS certification.
When a company says "we have a policy of secure password management",
and has a video about how passwords are never known by anyone other
than the password owner and are never sent in email, then *turns
around and orders you to do so as a matter of standard practice for
your entire department*, you know your PCI-DSS certification is not
meaningful.

This sort of thing is why I spend so much time trying to get Kerberos
based account authentication working well for SL based environments.
It puts the access control in an environment where a central IT staff,
or me, can set sane policies, set accounts safely, never store
unencrypted passwords on any server we control, and not rely on
someone else's implementation of written policies.