Security Basics mailing list archives

RE: PCI question - anonymous users from uploading files

From: "Honer, Lance" <lhoner () smartgrp com>
Date: Fri, 18 Jan 2008 11:21:34 -0500

I would agree with Jason, as long a compromise of the FTP server could
not lead to a credit card exposure (via network segmentation through
VLANs and/or firewalling) you should be able to take the FTP server out
of scope for PCI.

Lance


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Jason Thompson
Sent: Tuesday, January 15, 2008 2:41 PM
To: J. Lion
Cc: security-basics () securityfocus com
Subject: Re: PCI question - anonymous users from uploading files

I don't have a 100% yes or no, but does the ftp server have any PAN
data on it or within the same network or is the ftp server completely
separate from all PAN processing, transactions and storage?

As per the PCI DSS: 8.5.8 Do not use group, shared, or generic
accounts and passwords

However if the system has no interaction at all with PAN data and if
the ftp server becomes compromised it will not impact the PAN
environment, you might be ok...

I'd defer to others who may have been through this. My only experience
with anonymous FTP & PCI was with a company that had anonymous FTP
enabled on their database server that housed PAN data, so I helped
them fix that :). Pretty clear cut in that case. :)

-J

On Jan 15, 2008 9:58 AM, J. Lion <jv4l1n4 () gmail com> wrote:

Is there a PCI requirement for preventing anonymous users from
uploading files (non PAN related files, like images or catalog data)?


 
--------------------------------------------------------------------------
SMART Business Advisory and Consulting, LLC and SMART and Associates, LLP have an alternative practice structure. The 
two companies are separate and independent legal entities that work together to meet clients' business needs. SMART 
Business Advisory and Consulting, LLC is not a licensed CPA firm.
 
This message may contain information that is privileged, confidential and exempt from disclosure under applicable law. 
If you are not the intended recipient (or authorized to act on behalf of the intended recipient) of this message, you 
may not disclose, forward, distribute, copy, or use this message or its contents. If you have received this 
communication in error, please notify us immediately by return e-mail and delete the original message from your e-mail 
system.

Current thread:

PCI question - anonymous users from uploading files J. Lion (Jan 15)
- Re: PCI question - anonymous users from uploading files Jason Thompson (Jan 15)
  - RE: PCI question - anonymous users from uploading files Honer, Lance (Jan 18)
- RE: PCI question - anonymous users from uploading files Abimbola, Abiola (Jan 16)
- Re: PCI question - anonymous users from uploading files Lyle Worthington (Jan 17)
- <Possible follow-ups>
- Re: Re: PCI question - anonymous users from uploading files evilwon12 (Jan 15)