Dailydave mailing list archives
Re: PCI-DSS and ssh public key question
From: "B.K. DeLong" <bkdelong () pobox com>
Date: Tue, 10 Jun 2008 11:22:01 -0400
Not to get too off-topic but one of the questions many merchants have been asking is how willing is the QSA to standup for their audit findings and PCI Compliance certification? Hannaford is obviously one of the more recent examples as they were deemed compliant and yet they had a fairly large breach. It's not news that every QSA is different and some are far more strict than others - are there any accountability standards for QSAs? Can the PCI Council or the card acquirer effected sanction a QSA for an audit that was too lenient? Yes, PCI Compliance does not equal being secure by any means but that is definitely an end-goal of the PCI-DSS (with another major one being the game of risk transference). I would also followup Lee's comments, (to keep this on topic), to make sure said compensating control is proposed to the QSA in writing and approved by them in writing to maintain the full audit trail. I've heard of quite a few cases where an auditor says one thing and the acquirer or Council says another and no one can find the paperwork to reconcile. On Tue, Jun 10, 2008 at 4:00 AM, Lee Brotherston <lee () nerds org uk> wrote:
On Mon, Jun 09, 2008 at 04:27:14PM -0400, Paul Wouters wrote:Does anyone have a definitive answer on whether ssh public key encryption, without hardware tokens, is allowed according to PCI-DSS?Unfortunately the PCI-DSS standard is generally fluffy enough that there is no definitive answer to much of it. I would say the best course of action is to ask your QSA when they are doing your gap analysis. After all, it's their opinion that counts, at least from the perspective of getting the accreditation anyway.
-- B.K. DeLong (K3GRN) bkdelong () pobox com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- PCI-DSS and ssh public key question Paul Wouters (Jun 09)
- Re: PCI-DSS and ssh public key question Raymond Forbes (Jun 10)
- Re: PCI-DSS and ssh public key question Trygve Aasheim (Jun 10)
- Re: PCI-DSS and ssh public key question Lee Brotherston (Jun 10)
- Re: PCI-DSS and ssh public key question B.K. DeLong (Jun 10)
- Re: PCI-DSS and ssh public key question Paul Melson (Jun 10)