RE: PCI DSS

["Craig Wright" <Craig.Wright () bdo com au>]

Hello,
Spend some time and go to the PCI Council site. http://www.pcicouncil.org. Read the standards and the requirements.

No matter what size your organisation is you have to meet the standards if you take card holder information. No matter 
the size of your organisation you have to comply - if you take cards - it is in the contract.

Worse still even small organisations need to sign a document attesting that they have met the standard. The issue here 
is that this is not just that you have had a scan - but that you meet ALL 12 areas of the standard or have SUITABLE 
mitigating controls.

A scan from an ASV is not compliance with the standard. In addition for instance, the following is an extract from the 
standard - which applies to all parties covered by the PCI-DSS:

"11.3 Perform penetration testing at least once a year and after any significant infrastructure or application upgrade 
or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to 
the  environment). These penetration tests must include the following:
11.3.1 Network-layer penetration tests
11.3.2 Application-layer penetration tests."

These do not need to be done through an ASV or audit firm, you get to choose the pen test party that best suits you. 
Either way - you need to have this done to be compliant.

Worst of all. For all the small merchants signing that they have met the standard, they may be guilty of fraud at worst 
and a negligent misstatement at best. The ASV is not the one who gets into trouble, the merchant/issuer is.

As a merchant you have to meet the standard, it is your requirement and no amount of paper from auditors and vendors 
will aid you if you are in breach. So when choosing the ASV - remember that you set the scope - allow them and you get 
nothing.

You have to answer the following questionnaire:
https://www.pcisecuritystandards.org/pdfs/pci_saq_v1-0.pdf
As stated, this is a legal document - which many people seem not to understand. Lying or attempting to mislead yourself 
on the answers only hurts yourself.

Take the rarely implemented point 3.5, the self assessment asks:
"Are account numbers (in databases, logs, files, backup media, etc.) stored securely- for example, by means of 
encryption or truncation?"

This means that there is either the data stored AND encrypted or it is cut off and not stored. EFS is not database 
encryption - this means table or field encryption in the database. Tick yes as you do an XOR (as I have seen at leats 
15 firms do) is not acceptable. The standard defines the types and formats. As the security or Risk manager who signs 
this, if you have not implemented encryption - really implemented it using an approved algorithm (Eg AES) - than 
signing this may be a criminal offence. 

In Australia this is covered in the Corporations Act S1309A (False or Misleading Statements) and this can have a 
penalty of several years goal time.

So the PCI is more than just a little tick list that gets in the way. It is your responsibility - not the ASV. CYA.

Regards,
Craig

https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf
https://www.pcisecuritystandards.org/tech/supporting_documents.htm 



Craig Wright
Manager of Information Systems

Direct : +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains.  If you have 
received this message in error, please notify the sender by return email, destroy all copies and delete it from your 
system. 

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls.  
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls.  It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects.  BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached.  A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and entities.

-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of security guy
Sent: Thursday, 23 August 2007 2:22 AM
To: security-basics () securityfocus com
Subject: PCI DSS

> From what I can see there seem to be some inconsistencies between the
PCI-DSS scanning guidelines and the cost of services offered by the
ASVs. The testing process to become an ASV seems to require a certain
degree of manual testing but there are plenty of companies offering
deals such as £75 for the testing of entire host ranges. Are companies
doing a full manual test on the assessment and then just chucking a
load of automated scanners at the hosts the test commercially
afterwards? Surely there's no way any test-house can manually test
even a single hosts at that cost!