Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

"I can't recall a single one in the cloud era ..."

Our PCI compliance page is an easter egg:

https://www.rsync.net/resources/regulatory/pci.html



I envy you having written this, because I've wanted to do the same. I'm the adhoc IT guy / CISO / etc. for a small medical practice. I have to jump through the PCI hoops quarterly because it's an ancient junk relic of a time where Infinite Trust Networking and monthly forced password rotation were en vogue.

And why do I have to do PCI stuff? Because we have a credit card scanner that patients use to pay for things. In any sane world, compliance would be on the manufacturer of the scanner: "hey, make devices that actually, you know, encrypt stuff reliably". But since we don't live in that world, I have to have a separate Ethernet drop to the card scanner, which plugs into its own dedicated port on the firewall, which completely segregates it from the rest of the LAN traffic. That isn't horrible in concept, but why? Our servers which store PHI don't have those stringent requirements, because the servers are secured. They don't have to trust that the network is kind and gentle, because they're designed with the idea that it's not. But not so the credit card scanner!

For extra fun, we also have to pay someone to run a PCI compliance scan against our external IP. Said IP listens on exactly one port: the one that doctors use to VPN into the office so that they can check their schedule from home. We got a failing score one year because the VPN appliance supported — not required, but supported — some less-than-perfect crypto algorithm. None of our clients were configured to use those protocols. I know. I configured them. But because the server supported them, we were temporarily[0] judged to be noncompliant because some attacker could, I don't know, hack in and pivot in to the firewall appliance and from their pivot to attack the poor downtrodden credit card scanner which, of course, can't be expected to defend itself from the hostile environment of doctor's office LAN.

PCI's a joke.

[0]It would be against the scanner's ToS to temporarily block that port in our inbound firewall long enough to get them to shut up about it, so I totally did not do that.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact