Penetration Testing mailing list archives
Re: PCI Compliance Scope
From: Eric Milam <emilam () coretechsg com>
Date: Thu, 12 Nov 2009 13:34:27 -0800
Its not my decision, last I checked I don't think the PCI Council allowed it as the only form of separation.
Tracy Reed wrote:
On Thu, Nov 12, 2009 at 12:42:35PM -0800, Eric Milam spake thusly:Basically the fear are base camps from which to launch an attack. As Erin stated below, if there are measures in place (not just vlans) to prevent access from the log machine to the Card Holder data environment then it may be that the device will be out of scope.Why not just VLANs? Do we not trust VLANs or are we worried about VLAN misconfiguration? Or switch compromise? Cisco commissioned a study by @Stake (IIRC) which made a pretty good case for VLAN security. Of course, that may just be Cisco getting the results it paid for. But it seemed reasonable to me.
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review BoardProve to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- PCI Compliance Scope Danux (Nov 12)
- RE: PCI Compliance Scope Gary Everekyan (Nov 12)
- RE: PCI Compliance Scope Erin Carroll (Nov 12)
- Re: PCI Compliance Scope Eric Milam (Nov 12)
- Re: PCI Compliance Scope Tracy Reed (Nov 12)
- Re: PCI Compliance Scope Eric Milam (Nov 12)
- Re: PCI Compliance Scope Danux (Nov 12)
- Message not available
- re: PCI Compliance Scope Timothy Shea (Nov 13)
- Re: PCI Compliance Scope Mohamed Farid (Nov 13)
- Re: PCI Compliance Scope Gary E. Miller (Nov 13)
- Re: PCI Compliance Scope rajat swarup (Nov 13)
- Re: PCI Compliance Scope David M. Zendzian (Nov 13)
- RE: PCI Compliance Scope Jason Hurst (Nov 13)
- Re: PCI Compliance Scope Danux (Nov 16)
- Re: PCI Compliance Scope Eric Milam (Nov 12)
- Re: PCI Compliance Scope David M. Zendzian (Nov 13)