Educause Security Discussion mailing list archives
Re: PCI
From: Barron Hulver <Barron.Hulver () OBERLIN EDU>
Date: Mon, 27 Jun 2011 16:08:55 -0400
I'm in the process of working through our PCI compliance and submitting the SAQ for each of our merchant accounts, but I don't think the IPv6 scanning is a major issue.
First, my observation is that PCI lags behind the industry. For example, as someone else has already pointed out, there is no NAT in IPv6.
Second, I'm going to use additional contexts on our firewalls to segment systems applicable for each merchant account into *very* small subnets in order to limit the scope of PCI. (Segmentation was already mentioned by someone else.) I'm currently thinking that I will administer the PCI contexts while I continue to have my staff manage the other contexts.
Third, there is always the option to not enable IPv6 on those systems that are in scope for PCI.
Barron Barron Hulver Director of Networking, Operations, and Systems Center for Information Technology Oberlin College 148 West College Street Oberlin, OH 44074 440-775-8702 http://www2.oberlin.edu/staff/bhulver/ On 6/27/11 10:41 AM, Jacobson, Dick wrote:
I attended a IPv6 seminar last week and am wondering if I heard something correctly. This did not register with me until after the seminar and since the seminar I have been looking for an email address for Johannes Ullirich (the instructor), but have not found one, and asked a few people around here about this. I have not been able to get a half-way-confident answer so I am bringing the question here. I think I heard that on an IPv6 network, you can not be PCI compliant because (I think) the size of the address space makes it impossible to scan in a timely manner, as required. Does this question make sense ? Any comments/thoughts for me ?