Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PCI Gurus?

From: Joseph Saselli <jsaselli () real com>
Date: Tue, 18 Jan 2011 11:23:37 -0800
Only those items actually considered in scope fall under PCI DSS 2.0. Now in order to determine if something is in 
scope. You would need to determine if company A's appliance  itself is within scope first.

Here are some basic a questions that will help to determine if it is in scope. 

1. Does the appliance have any credit card data going through it?
If the answer is yes, then it is in scope.

2. Does the appliance use the same network vlan that Company B is using for credit card processing or credit card data 
transfer or credit card data storage?
If yes, then it is in scope.

If the appliance is not used for any thing regarding credit card processing. If the appliance is not using the same 
network segment as the credit processing is taking place on, or credit card data transfer in anyway is taking place on. 
Then it is not within scope.

The best way to ensure it remains out of scope of PCI DSS 2.0 is to ensure it is using a segmented portion of the 
network at Company B. Or more importantly that Company B has all their credit card data using a separate network 
segment from all other data. The network segment they are using for credit card data has a firewall ensuring it is 
secure from all other network segments. That the credit card network segment cannot be accesses from any other network 
segments, except through a hardened bastion host. Andthen only by those who are approved to do so. 

Basically the appliance will be in scope of PCI DSS 2.0 even if it is not doing anything with credit card data at all. 
If it resides on the same network segment that credit data is traveling on.



Joe Saselli
Senior Manager Global Information Systems Security & Network Engineering
Global Infrastructure Operations 
Shared Services Division-TPS

MIT - Information Technology, Internet Security
BIT - Information Technology, Systems Administration
ITIL Certified

GIO - Real Networks, Inc.
2601 Elliott Avenue
Seattle, WA 98121

jsaselli () real com

Office: +1.206.892.6058
Mobile: +1.206.499.0228

www.real.com

On Jan 17, 2011, at 1:37 PM, daniel svartman wrote:


Hello,

Regarding to your problem, let me introduce you how the PCI DSS works.
First, the PCI DSS requires that all systems, including those that are
not par of the company but are connected to it's network should be
compliant with PCI. therefore, if in this scenario company a us
installing a device in company b, the dvice and services provided by
this dvice should be compliant too. So here is the big question,
should company a be PCI compliant or just the devices? Or what
specific things from the device.
If company a installs the device and also manages it, then company a
should comply with  PCI requirements 2, 4, 5 (if applicable), 6, 7, 8
and parially 10, 11 and 12.
If company a just installs the device but company b manage it, then
company b should add some caveats to the contract with company b
detailing that and then determine the responsibility on the device

Regards,

Daniel

On Friday, January 14, 2011,  <shankl () hotmail com> wrote:

Heres a little scenario that I wanted to throw out there and get an opinion on by someone who knows PCI. I am 
starting to learn but couldn't help with this problem because I've never assisted in a PCI audit...

(I would think this problem has been encountered by many small companies that make network appliances)

====== Background =======

1) Company A is a small company (only 5 employees)

2) They provide a service which requires their customer, Company B, to install a small network appliance on their 
LAN in order to collect data from their onsite mechanical equipment.

3) Operating data is then pulled from these mechanical systems and then dumped to a remote server which processes 
the data and provides a dashboard for the customer to view (via SSL).

4) Company B bought a license for this service and was also handed over the keys to administer accounts and decide 
which employees it would like to give access to.

5) Now let’s say that Company B typically processes credit card payments locally and sends transaction data through 
their local LAN on its way out to their payment processor.

====== Problems =======

1) Company A does not take credit cards and is not required to be PCI compliant however they do provide a service 
which requires their network appliance to be installed on Company B’s network.

2) In recent days Company A has come to the conclusion that in some of Company B’s newly acquired satellite offices, 
credit card data is being forwarded across the LAN in a variety of ways (some of which do not look to be 
secure/encrypted).

3) In addition, several of these satellite offices are running consumer grade routers (ie: Linksys, Netgear) 
providing little in the way of segmentation.

4)Company A would like to avoid being “In Scope” and having to charge the client for consulting fees.

====== Questions =======

1) For the smaller satellite offices what might be a simple fix?

2) Does segregation provide an easy way to kick devices out of scope for PCI audits?

3) Would it be recommended/possible to have a firm produce a report which could be handed to an auditor and prove 
“Out of Scope” prior to being dragged into one of these audits?

4) Could the network appliance be designed/situated in such a way as to be “out of scope” or at least easily 
verifiable as compliant even if it was sitting on the same logical subnet where the card data traffic was moving 
across?

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------




------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------




------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: