Educause Security Discussion mailing list archives

Re: PCI

From: "Semmens, Theresa" <theresa.semmens () NDSU EDU>
Date: Mon, 27 Jun 2011 07:48:38 -0700

I understand that there are not many vendors yet capable of doing IPv6 vulnerability scanning.  What is being 
recommended for those machines that are handling cc data, it is recommended they be NATed and given an IPv4 address 
until more vendors have caught up with IPv6.  If you do have a vendor who states they are capable of doing IPv6 
scanning, it may be best to get some type of formal understanding and contractual wording from them.

Theresa Semmens, CISA
Chief IT Security Officer
North Dakota State University
IACC 210D
PO Box 6050
Fargo, ND 58108
Phone: 701-231-5870
Cell Phone: 701-212-2064
Fax: 701-231-8541
Theresa.Semmens () ndsu edu

[cid:image002.gif@01CC34AF.63CC3430]

Security is a process, privacy is a consequence
Security is action, privacy is a result of successful action
Security is the strategy, privacy is the outcome
Security is the sealed envelope, privacy is the successful delivery of the message inside the envelope
                                                                                                                ~ Kevin 
Beaver & Rebecca Herold


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Paul 
Kendall
Sent: Monday, June 27, 2011 9:45 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PCI

Not True. It may mean you have to change your scheduling for performing scanning if you have large network segments, 
but it can definitely be done.

Paul L. Kendall
===================================
Paul L. Kendall, CGEIT, CISM, CISSP, CSSLP
Certified HIPAA Professional
Certified HIPAA Security Specialist
PCI Qualified Security Assessor
Senior Consultant - Assessments & Compliance

Main 281.897.5000  |  Direct 817.496.6450  |  Cell 713.446.5259  |  
http://www.accudatasystems.com<http://www.accudatasystems.com/>
Tower Three Galleria  |  13155 Noel Road, Suite 920  |  Dallas, TX 75240

[cid:image003.gif@01CC34AF.63CC3430]<http://www.facebook.com/accudatasystems>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Jacobson, Dick
Sent: Monday, June 27, 2011 9:41 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PCI

I attended a IPv6 seminar last week and am wondering if I heard something correctly. This did not register with me 
until after the seminar and  since the seminar I have been looking for an email address for Johannes Ullirich (the 
instructor), but have not found one, and asked a few people around here about this.  I have not been able to get a 
half-way-confident answer so I am bringing the question here.

I think I heard that on an IPv6 network, you can not be PCI compliant because (I think) the size of the address space 
makes it impossible to scan in a timely manner, as required.

Does this question make sense ?  Any comments/thoughts for me ?

Current thread:

PCI Jacobson, Dick (Jun 27)
- Re: PCI Paul Kendall (Jun 27)
  - Re: PCI Semmens, Theresa (Jun 27)
    - Re: PCI Paul Kendall (Jun 27)
- Re: PCI Curtis, Bruce (Jun 27)
  - Re: PCI John Ladwig (Jun 27)
    - Re: PCI Sam Hooker (Jun 27)
    - Re: PCI Paul Kendall (Jun 27)
- Re: PCI Jacobson, Dick (Jun 27)
- Re: PCI Barron Hulver (Jun 27)