RE: PCI/DSS compliant Managed IDS

["Craig Wright" <Craig.Wright () bdo com au>]

Hello,
 
Although I agree in principle and feel that it is reprehensible for a hosting party to offer services in full knowledge 
of these requirements (and I will exclude the small minority that are just innocently ignorant) one must remember that 
the PCI-DSS is a contractual agreement with the card issuer.

 

So although the standard calls for the hosting company to be complaint, it is not their breach if they fail this 
standard, but the breach of the merchant.

 

The merchant is contractually required to ensure that any hosting/3rd party services are contractually bound as well to 
this standard. However, the 3rd party remains remote from the initiating contract and is not bound by its provisions.

 

So the 3rd party is not required to be complaint, rather the merchant is required to ensure that their contract ensure 
that the hosting party is bound. 

 

These may be legal distinctions, but at the end of the day, this is where it hits the proverbial fan.

 
Regards,
Craig



Craig Wright
Manager of Information Systems

Direct : +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains.  If you have 
received this message in error, please notify the sender by return email, destroy all copies and delete it from your 
system. 

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls.  
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls.  It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects.  BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached.  A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and entities.

________________________________


From: listbounce () securityfocus com on behalf of ebk_lists () hotmail com
Sent: Fri 24/08/2007 3:07 AM
To: 
Subject: Re: PCI/DSS compliant Managed IDS



I'd vote yes:

"Appendix says:
As referenced in Requirement 12.8, all service providers with access to cardholder data (including hosting
providers) must adhere to the PCI DSS.

12.8:
12.8 If cardholder data is shared with service providers, then contractually the following is required:
12.8.1 Service providers must adhere to the PCI DSS requirements
12.8.2 Agreement that includes an acknowledgement that the service provider is responsible for
the security of cardholder data the provider possesses."

If the monitoring of the IDS provide access to cardholder or transaction data, they must also be compliant.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------