Security Basics mailing list archives
RE: PCI Gurus?
From: Jon Spiers <jon.spiers () npcinternational com>
Date: Tue, 18 Jan 2011 11:48:02 -0800
Depending on what the device is, and does, company B should feel free to segment the device onto a part of their internal network where it is inaccessible from the PCI environment. There is nothing that says that everything on the network need be secure and PCI complaint, however, anything in the PCI scope of the network needs to be. So, if they have done no segmentation thru V-LANs or ASA firewalls, then yes, everything would be in scope. Company B need to segment the network. How to easily remedy the satellite offices? Without knowing the specific network layout that will be difficult to answer. Segmentation, again, is the only way to remove offices, or devices from the PCI scope. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of daniel svartman Sent: Monday, January 17, 2011 3:37 PM To: shankl () hotmail com Cc: security-basics () securityfocus com Subject: PCI Gurus? Hello, Regarding to your problem, let me introduce you how the PCI DSS works. First, the PCI DSS requires that all systems, including those that are not par of the company but are connected to it's network should be compliant with PCI. therefore, if in this scenario company a us installing a device in company b, the dvice and services provided by this dvice should be compliant too. So here is the big question, should company a be PCI compliant or just the devices? Or what specific things from the device. If company a installs the device and also manages it, then company a should comply with PCI requirements 2, 4, 5 (if applicable), 6, 7, 8 and parially 10, 11 and 12. If company a just installs the device but company b manage it, then company b should add some caveats to the contract with company b detailing that and then determine the responsibility on the device Regards, Daniel On Friday, January 14, 2011, <shankl () hotmail com> wrote:
Heres a little scenario that I wanted to throw out there and get an opinion on by someone who knows PCI. I am starting to learn but couldn't help with this problem because I've never assisted in a PCI audit... (I would think this problem has been encountered by many small companies that make network appliances) ====== Background ======= 1) Company A is a small company (only 5 employees) 2) They provide a service which requires their customer, Company B, to install a small network appliance on their LAN in order to collect data from their onsite mechanical equipment. 3) Operating data is then pulled from these mechanical systems and then dumped to a remote server which processes the data and provides a dashboard for the customer to view (via SSL). 4) Company B bought a license for this service and was also handed over the keys to administer accounts and decide which employees it would like to give access to. 5) Now let's say that Company B typically processes credit card payments locally and sends transaction data through their local LAN on its way out to their payment processor. ====== Problems ======= 1) Company A does not take credit cards and is not required to be PCI compliant however they do provide a service which requires their network appliance to be installed on Company B's network. 2) In recent days Company A has come to the conclusion that in some of Company B's newly acquired satellite offices, credit card data is being forwarded across the LAN in a variety of ways (some of which do not look to be secure/encrypted). 3) In addition, several of these satellite offices are running consumer grade routers (ie: Linksys, Netgear) providing little in the way of segmentation. 4)Company A would like to avoid being "In Scope" and having to charge the client for consulting fees. ====== Questions ======= 1) For the smaller satellite offices what might be a simple fix? 2) Does segregation provide an easy way to kick devices out of scope for PCI audits? 3) Would it be recommended/possible to have a firm produce a report which could be handed to an auditor and prove "Out of Scope" prior to being dragged into one of these audits? 4) Could the network appliance be designed/situated in such a way as to be "out of scope" or at least easily verifiable as compliant even if it was sitting on the same logical subnet where the card data traffic was moving across? ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- PCI Gurus? shankl (Jan 14)
- Re: PCI Gurus? Venkatesh Selvaraju (Jan 18)
- RE: PCI Gurus? Simon Thornton (Jan 18)
- RE: PCI Gurus? Matthew Reed (Jan 18)
- PCI Gurus? daniel svartman (Jan 18)
- Re: PCI Gurus? Joseph Saselli (Jan 18)
- Re: PCI Gurus? John Morrison (Jan 21)
- RE: PCI Gurus? Jon Spiers (Jan 18)
- Re: PCI Gurus? Joseph Saselli (Jan 18)
- <Possible follow-ups>
- Re: Re: PCI Gurus? krymson (Jan 18)