Security Basics mailing list archives
RE: PCI DSS
From: "Craig Wright" <Craig.Wright () bdo com au>
Date: Thu, 23 Aug 2007 08:21:05 +1000
Hello, Spend some time and go to the PCI Council site. http://www.pcicouncil.org. Read the standards and the requirements. No matter what size your organisation is you have to meet the standards if you take card holder information. No matter the size of your organisation you have to comply - if you take cards - it is in the contract. Worse still even small organisations need to sign a document attesting that they have met the standard. The issue here is that this is not just that you have had a scan - but that you meet ALL 12 areas of the standard or have SUITABLE mitigating controls. A scan from an ASV is not compliance with the standard. In addition for instance, the following is an extract from the standard - which applies to all parties covered by the PCI-DSS: "11.3 Perform penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). These penetration tests must include the following: 11.3.1 Network-layer penetration tests 11.3.2 Application-layer penetration tests." These do not need to be done through an ASV or audit firm, you get to choose the pen test party that best suits you. Either way - you need to have this done to be compliant. Worst of all. For all the small merchants signing that they have met the standard, they may be guilty of fraud at worst and a negligent misstatement at best. The ASV is not the one who gets into trouble, the merchant/issuer is. As a merchant you have to meet the standard, it is your requirement and no amount of paper from auditors and vendors will aid you if you are in breach. So when choosing the ASV - remember that you set the scope - allow them and you get nothing. You have to answer the following questionnaire: https://www.pcisecuritystandards.org/pdfs/pci_saq_v1-0.pdf As stated, this is a legal document - which many people seem not to understand. Lying or attempting to mislead yourself on the answers only hurts yourself. Take the rarely implemented point 3.5, the self assessment asks: "Are account numbers (in databases, logs, files, backup media, etc.) stored securely- for example, by means of encryption or truncation?" This means that there is either the data stored AND encrypted or it is cut off and not stored. EFS is not database encryption - this means table or field encryption in the database. Tick yes as you do an XOR (as I have seen at leats 15 firms do) is not acceptable. The standard defines the types and formats. As the security or Risk manager who signs this, if you have not implemented encryption - really implemented it using an approved algorithm (Eg AES) - than signing this may be a criminal offence. In Australia this is covered in the Corporations Act S1309A (False or Misleading Statements) and this can have a penalty of several years goal time. So the PCI is more than just a little tick list that gets in the way. It is your responsibility - not the ASV. CYA. Regards, Craig https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf https://www.pcisecuritystandards.org/tech/supporting_documents.htm Craig Wright Manager of Information Systems Direct : +61 2 9286 5497 Craig.Wright () bdo com au +61 417 683 914 BDO Kendalls (NSW) Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001 Fax +61 2 9993 9497 www.bdo.com.au Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au. BDO Kendalls is a national association of separate partnerships and entities. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of security guy Sent: Thursday, 23 August 2007 2:22 AM To: security-basics () securityfocus com Subject: PCI DSS
From what I can see there seem to be some inconsistencies between the
PCI-DSS scanning guidelines and the cost of services offered by the ASVs. The testing process to become an ASV seems to require a certain degree of manual testing but there are plenty of companies offering deals such as £75 for the testing of entire host ranges. Are companies doing a full manual test on the assessment and then just chucking a load of automated scanners at the hosts the test commercially afterwards? Surely there's no way any test-house can manually test even a single hosts at that cost!
Current thread:
- PCI DSS security guy (Aug 22)
- RE: PCI DSS Craig Wright (Aug 23)
- <Possible follow-ups>
- Re: PCI DSS alistair . fletcher (Aug 23)
- Re: PCI DSS evilwon12 (Aug 23)
- FW: PCI DSS Craig Wright (Aug 23)