Firewall Wizards mailing list archives
Re: PCI DSS & Firewalls
From: david () lang hm
Date: Thu, 2 Apr 2009 11:29:57 -0700 (PDT)
On Thu, 2 Apr 2009, Paul D. Robertson wrote:
The standard is not the leading instrument here, it's the experience and common sense of the assessors. The PCI doc merely serves as a checklist to demonstrate to the PCI council that requirements have been fulfilled. Either verbatim, or in any other shape or form that still fulfills the desired goal.The banks, CEOs and IT workers I've all talked to see it as a checklist to compliance, or more importantly a checklist to not getting sued. Avoiding the stick is the goal- and those who actually want the carrot look at the standard and say "This doesn't help me." That's bad, because the people most likely to know what's wrong in an environment are those who're most familiar with it. The desired goal is not getting sued... Also, we all know that businesses like efficiency and that time costs money- so are you going to check the box or are you going to write out an exception and justify it?
worse yet, are the auditors going to accept the exception, or are they going to say "I don't care, the standard says X, they know more than you do"
I've seen this happen with other things, where what we were doing was safe (or safe enough) in our opinion, but management got tired of fighting with auditors and told us to change to shut them up.
If you have to be compliant and look at the PCI requirements document, and say "this is sad" or "that is not defined", talk to a decent QSA. He can help make this a less confusing and painful experience.That doesn't make them any less sad or more defined. This is the best the multi-billion dollar payment card industry can do?
worse yet, you end up getting a personal opinion of the QSA, next year you may deal with a different one who has a different opinion.
David Lang _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PCI DSS & Firewalls Paul D. Robertson (Apr 01)
- Re: PCI DSS & Firewalls Kurt Buff (Apr 01)
- Re: PCI DSS & Firewalls Victor Williams (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Victor Williams (Apr 02)
- Re: PCI DSS & Firewalls Frank Knobbe (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls david (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Paul Melson (Apr 03)
- Re: PCI DSS & Firewalls Brian Loe (Apr 05)
- Re: PCI DSS & Firewalls miedaner (Apr 05)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)