WebApp Sec mailing list archives
RE: PCI DSS Compliance
From: "Craig Wright" <cwright () bdosyd com au>
Date: Mon, 19 Dec 2005 20:23:00 +1100
The entire document and all associated pages. An automated, not verified process does not meet the scaning/testing requirements. It is thus entirely irrelivant to the discussion as it will not help you be compliant. All up for "simple systems" and low volume site requiring low level testing have still over 100 pages of requirement documents. The summary of 12 points is not the entire process. There are separate scan and testing processed that need to be done. Application tests need to be done. A method to ensure that all systems are single use need to be implemented etc etc As stated - this is for Low volume simple sites. More detailed sites need to be formally audited to a level that make a SAS 70 part 2 look simple. CardSystems was never compliant for example as they never had a valid test as per the PCI DSS. Craig -----Original Message----- From: Pete Herzog [mailto:lists () isecom org] Sent: Mon 19/12/2005 6:12 PM To: Craig Wright Cc: syedma () microland net; mjohnso6 () optonline net; Ademar Gonzalez; webappsec () securityfocus com Subject: Re: PCI DSS Compliance > Read the document > > You have to verify the port - this is one section of the document. When > you read all the requirements than judge. I did read it. Did you even read my post? I had only commented on the automated, not verified process that appeared to be used by this particular vendor and then on the senselessness of the process (the myth of patching). -pete. Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.
Current thread:
- Re: PCI DSS Compliance, (continued)
- Re: PCI DSS Compliance Peter Watkins (Dec 16)
- RE: PCI DSS Compliance Sebastien Deleersnyder (Dec 15)
- RE: PCI DSS Compliance Steve Kerns (Dec 15)
- Re: PCI DSS Compliance Ademar Gonzalez (Dec 15)
- RE: PCI DSS Compliance Lyal Collins (Dec 16)
- Re: PCI DSS Compliance Ademar Gonzalez (Dec 15)
- RE: PCI DSS Compliance Craig Wright (Dec 16)
- RE: PCI DSS Compliance Steven Jones (Dec 16)
- Re: PCI DSS Compliance null0 (Dec 18)
- RE: PCI DSS Compliance Craig Wright (Dec 18)
- Re: PCI DSS Compliance Pete Herzog (Dec 18)
- RE: PCI DSS Compliance Craig Wright (Dec 19)
- Re: PCI DSS Compliance Pete Herzog (Dec 20)
- RE: PCI DSS Compliance Lyal Collins (Dec 20)
- Re: PCI DSS Compliance Pete Herzog (Dec 29)
- RE: PCI DSS Compliance Lyal Collins (Dec 29)
- Re: PCI DSS Compliance Pete Herzog (Dec 20)
- Re: PCI DSS Compliance Roberto Tanara (Dec 21)
- RE: PCI DSS Compliance Lyal Collins (Dec 21)
- Re: PCI DSS Compliance Roberto Tanara (Dec 22)