Firewall Wizards mailing list archives
Re: PCI DSS & Firewalls
From: "Paul D. Robertson" <paul () compuwar net>
Date: Thu, 2 Apr 2009 13:16:05 -0500 (EST)
I just wanted to say that this is not an "industry standard" in terms of laying out specific details that can be followed to the letter to be compliant. It's also not a checkbox-type checklist to magically make you compliant (or secure). Rather, it is a guide to help QSAs assess the security of entities having to be PCI compliant. It provides a minimal baseline in my opinion, and assessors should always strive to use common sense while reviewing networks and systems, and apply best practices in order to achieve maximum security.
Maximum security comes from product selection, trained staff and regular audits, not from blind scans, blind pen-tests and third party analysts who don't have real-world experience. I get what you're saying, I'm just saying that the Kool-Aid isn't all that good here. It's done a further disservice by not having clear, operable and well-written standards that the operational people can use to evaluate and understand what practices they need to comply with and how. The QSAs are all making money- because they're all mandated, but frankly the fact that we've seen three of them go on probation recently is a sign that the underlying fundamentals here aren't strong. I find it highly ironic that the only technical training mandated is in Incident Response- isn't the message there "don't worry about learning about security, just learn how to clean up the mess?"
The standard is not the leading instrument here, it's the experience and common sense of the assessors. The PCI doc merely serves as a checklist to demonstrate to the PCI council that requirements have been fulfilled. Either verbatim, or in any other shape or form that still fulfills the desired goal.
The banks, CEOs and IT workers I've all talked to see it as a checklist to compliance, or more importantly a checklist to not getting sued. Avoiding the stick is the goal- and those who actually want the carrot look at the standard and say "This doesn't help me." That's bad, because the people most likely to know what's wrong in an environment are those who're most familiar with it. The desired goal is not getting sued... Also, we all know that businesses like efficiency and that time costs money- so are you going to check the box or are you going to write out an exception and justify it?
If you have to be compliant and look at the PCI requirements document, and say "this is sad" or "that is not defined", talk to a decent QSA. He can help make this a less confusing and painful experience.
That doesn't make them any less sad or more defined. This is the best the multi-billion dollar payment card industry can do? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." Moderator: Firewall-Wizards mailing list Art: http://PaulDRobertson.imagekind.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PCI DSS & Firewalls Paul D. Robertson (Apr 01)
- Re: PCI DSS & Firewalls Kurt Buff (Apr 01)
- Re: PCI DSS & Firewalls Victor Williams (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Victor Williams (Apr 02)
- Re: PCI DSS & Firewalls Frank Knobbe (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls david (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Paul Melson (Apr 03)
- Re: PCI DSS & Firewalls Brian Loe (Apr 05)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)