Educause Security Discussion mailing list archives
Re: PCI
From: "Semmens, Theresa" <theresa.semmens () NDSU EDU>
Date: Mon, 27 Jun 2011 07:48:38 -0700
I understand that there are not many vendors yet capable of doing IPv6 vulnerability scanning. What is being recommended for those machines that are handling cc data, it is recommended they be NATed and given an IPv4 address until more vendors have caught up with IPv6. If you do have a vendor who states they are capable of doing IPv6 scanning, it may be best to get some type of formal understanding and contractual wording from them. Theresa Semmens, CISA Chief IT Security Officer North Dakota State University IACC 210D PO Box 6050 Fargo, ND 58108 Phone: 701-231-5870 Cell Phone: 701-212-2064 Fax: 701-231-8541 Theresa.Semmens () ndsu edu [cid:image002.gif@01CC34AF.63CC3430] Security is a process, privacy is a consequence Security is action, privacy is a result of successful action Security is the strategy, privacy is the outcome Security is the sealed envelope, privacy is the successful delivery of the message inside the envelope ~ Kevin Beaver & Rebecca Herold From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Paul Kendall Sent: Monday, June 27, 2011 9:45 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI Not True. It may mean you have to change your scheduling for performing scanning if you have large network segments, but it can definitely be done. Paul L. Kendall =================================== Paul L. Kendall, CGEIT, CISM, CISSP, CSSLP Certified HIPAA Professional Certified HIPAA Security Specialist PCI Qualified Security Assessor Senior Consultant - Assessments & Compliance Main 281.897.5000 | Direct 817.496.6450 | Cell 713.446.5259 | http://www.accudatasystems.com<http://www.accudatasystems.com/> Tower Three Galleria | 13155 Noel Road, Suite 920 | Dallas, TX 75240 [cid:image003.gif@01CC34AF.63CC3430]<http://www.facebook.com/accudatasystems> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jacobson, Dick Sent: Monday, June 27, 2011 9:41 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] PCI I attended a IPv6 seminar last week and am wondering if I heard something correctly. This did not register with me until after the seminar and since the seminar I have been looking for an email address for Johannes Ullirich (the instructor), but have not found one, and asked a few people around here about this. I have not been able to get a half-way-confident answer so I am bringing the question here. I think I heard that on an IPv6 network, you can not be PCI compliant because (I think) the size of the address space makes it impossible to scan in a timely manner, as required. Does this question make sense ? Any comments/thoughts for me ?