Security Basics mailing list archives
RE: PCI question - anonymous users from uploading files
From: "Honer, Lance" <lhoner () smartgrp com>
Date: Fri, 18 Jan 2008 11:21:34 -0500
I would agree with Jason, as long a compromise of the FTP server could not lead to a credit card exposure (via network segmentation through VLANs and/or firewalling) you should be able to take the FTP server out of scope for PCI. Lance -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Jason Thompson Sent: Tuesday, January 15, 2008 2:41 PM To: J. Lion Cc: security-basics () securityfocus com Subject: Re: PCI question - anonymous users from uploading files I don't have a 100% yes or no, but does the ftp server have any PAN data on it or within the same network or is the ftp server completely separate from all PAN processing, transactions and storage? As per the PCI DSS: 8.5.8 Do not use group, shared, or generic accounts and passwords However if the system has no interaction at all with PAN data and if the ftp server becomes compromised it will not impact the PAN environment, you might be ok... I'd defer to others who may have been through this. My only experience with anonymous FTP & PCI was with a company that had anonymous FTP enabled on their database server that housed PAN data, so I helped them fix that :). Pretty clear cut in that case. :) -J On Jan 15, 2008 9:58 AM, J. Lion <jv4l1n4 () gmail com> wrote:
Is there a PCI requirement for preventing anonymous users from uploading files (non PAN related files, like images or catalog data)?
-------------------------------------------------------------------------- SMART Business Advisory and Consulting, LLC and SMART and Associates, LLP have an alternative practice structure. The two companies are separate and independent legal entities that work together to meet clients' business needs. SMART Business Advisory and Consulting, LLC is not a licensed CPA firm. This message may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient (or authorized to act on behalf of the intended recipient) of this message, you may not disclose, forward, distribute, copy, or use this message or its contents. If you have received this communication in error, please notify us immediately by return e-mail and delete the original message from your e-mail system.
Current thread:
- PCI question - anonymous users from uploading files J. Lion (Jan 15)
- Re: PCI question - anonymous users from uploading files Jason Thompson (Jan 15)
- RE: PCI question - anonymous users from uploading files Honer, Lance (Jan 18)
- RE: PCI question - anonymous users from uploading files Abimbola, Abiola (Jan 16)
- Re: PCI question - anonymous users from uploading files Lyle Worthington (Jan 17)
- <Possible follow-ups>
- Re: Re: PCI question - anonymous users from uploading files evilwon12 (Jan 15)
- Re: PCI question - anonymous users from uploading files Jason Thompson (Jan 15)