Re: PCI

[Barron Hulver <Barron.Hulver () OBERLIN EDU>]

I'm in the process of working through our PCI compliance and submitting 
the SAQ for each of our merchant accounts, but I don't think the IPv6 
scanning is a major issue.

First, my observation is that PCI lags behind the industry.  For 
example, as someone else has already pointed out, there is no NAT in IPv6.

Second, I'm going to use additional contexts on our firewalls to segment 
systems applicable for each merchant account into *very* small subnets 
in order to limit the scope of PCI.  (Segmentation was already mentioned 
by someone else.)  I'm currently thinking that I will administer the PCI 
contexts while I continue to have my staff manage the other contexts.

Third, there is always the option to not enable IPv6 on those systems 
that are in scope for PCI.

Barron


Barron Hulver
Director of Networking, Operations, and Systems
Center for Information Technology
Oberlin College
148 West College Street
Oberlin, OH  44074
440-775-8702
http://www2.oberlin.edu/staff/bhulver/


On 6/27/11 10:41 AM, Jacobson, Dick wrote:
> I attended a IPv6 seminar last week and am wondering if I heard
> something correctly. This did not register with me until after the
> seminar and since the seminar I have been looking for an email address
> for Johannes Ullirich (the instructor), but have not found one, and
> asked a few people around here about this. I have not been able to get a
> half-way-confident answer so I am bringing the question here.
>
> I think I heard that on an IPv6 network, you can not be PCI compliant
> because (I think) the size of the address space makes it impossible to
> scan in a timely manner, as required.
>
> Does this question make sense ? Any comments/thoughts for me ?