Security Basics mailing list archives
RE: DSS
From: "Hill, Pete" <Pete.Hill () sit-up tv>
Date: Fri, 23 May 2008 16:21:31 +0100
Thanks for the reply. For some reason I couldn't get your link to work? Ive double checked the standard and it states: "Note: This method is considered a best practice until June 30, 2008, after which it becomes a requirement." Does that mean both requirements, the review and the firewall? Pete -----Original Message----- From: Nick Vaernhoej [mailto:nick.vaernhoej () capitalcardservices com] Sent: 23 May 2008 16:17 To: Hill, Pete; security-basics () securityfocus com Subject: RE: DSS Good morning, Have you scanned through the supplemental information regarding 6.6? https://www.pcisecuritystandards.org/pdfs/infosupp_6_6_applicationfirewa lls_codereviews.pdf You have two options, code review or web application firewall. You state that you already have custom code reviewed so I would think you are in good shape. What makes you think you need to do both? (It is a good idea to do so of course, but not necessary to satisfy PCI). Have a great day. Nick Vaernhoej "Quidquid latine dictum sit, altum sonatur."
-->-----Original Message----- -->From: listbounce () securityfocus com -->[mailto:listbounce () securityfocus com] On Behalf Of Hill, Pete -->Sent: Friday, May 23, 2008 8:53 AM -->To: security-basics () securityfocus com -->Subject: PCI: DSS --> --> -->Hi all, --> -->Can anyone confirm for me what sort of workarounds there are -->concerning PCI:DSS and application layer firewalls? --> -->Requirement 6.6 of the standard states this: --> -->6.6 Ensure that all web-facing applications are protected against -->known attacks by applying either of the following methods: -->* Having all custom application code reviewed for common -->vulnerabilities by an organization that specializes in application -->security -->* Installing an application layer firewall in front of web-facing -->applications. -->Note: This method is considered a best practice until June 30, 2008,
-->after which it becomes a requirement. --> -->We already have our custom code reviewed, but Im wondering if I -->absolutely must sort out an application layer firewall or if there
is
-->a -->workaround that would be acceptable for a level 1 merchant. --> -->If there are any knowledgeable auditors (qsa etc) out there I'd -->really appreciate your help on this one. --> -->Many thanks -->Pete --> --> -->A number of bogus e-mails are currently circulating in the UK -->encouraging customers to visit fraudulent websites where personal or
-->Internet security details are requested. Bid tv/Price-drop tv/Speed -->auction tv would never send e-mails that ask for confidential, -->personal security information or details regarding your account -->status. --> -->The content of this e-mail does not constitute a contract and any -->matters discussed herein remain subject to contract. --> -->The contents of this message and all attachments have been sent in -->confidence for the attention of the addressee only. If you are not -->the intended recipient you are kindly requested to preserve this -->confidentiality and to advise the sender immediately of the error in
-->transmission. --> -->"sit-up ltd, registered in England No: 03877786. -->Registered Office: Sit-Up House, 179-181 The Vale, London W3 7RW. -->Sit-Up ltd is wholly owned by a subsidiary of Virgin Media."
This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged, confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please notify the sender that this message was received in error and then delete this message. Thank you.