Dailydave mailing list archives

Re: PCI-DSS and ssh public key question

From: "B.K. DeLong" <bkdelong () pobox com>
Date: Tue, 10 Jun 2008 11:22:01 -0400

Not to get too off-topic but one of the questions many merchants have
been asking is how willing is the QSA to standup for their audit
findings and PCI Compliance certification? Hannaford is obviously one
of the more recent examples as they were deemed compliant and yet they
had a fairly large breach.

It's not news that every QSA is different and some are far more strict
than others - are there any accountability standards for QSAs? Can the
PCI Council or the card acquirer effected sanction a QSA for an audit
that was too lenient? Yes, PCI Compliance does not equal being secure
by any means but that is definitely an end-goal of the PCI-DSS (with
another major one being the game of risk transference).

I would also followup Lee's comments, (to keep this on topic), to make
sure said compensating control is proposed to the QSA in writing and
approved by them in writing to maintain the full audit trail. I've
heard of quite a few cases where an auditor says one thing and the
acquirer or Council says another and no one can find the paperwork to
reconcile.

On Tue, Jun 10, 2008 at 4:00 AM, Lee Brotherston <lee () nerds org uk> wrote:

On Mon, Jun 09, 2008 at 04:27:14PM -0400, Paul Wouters wrote:

Does anyone have a definitive answer on whether ssh public key encryption,
without hardware tokens, is allowed according to PCI-DSS?


Unfortunately the PCI-DSS standard is generally fluffy enough that
there is no definitive answer to much of it.  I would say the best
course of action is to ask your QSA when they are doing your gap
analysis.  After all, it's their opinion that counts, at least from
the perspective of getting the accreditation anyway.


-- 
B.K. DeLong (K3GRN)
bkdelong () pobox com
+1.617.797.8471

http://www.wkdelong.org Son.
http://www.ianetsec.com Work.
http://www.bostonredcross.org Volunteer.
http://www.carolingia.eastkingdom.org Service.
http://bkdelong.livejournal.com Play.


PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE

FOAF:
http://foaf.brain-stream.org
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

PCI-DSS and ssh public key question Paul Wouters (Jun 09)
- Re: PCI-DSS and ssh public key question Raymond Forbes (Jun 10)
- Re: PCI-DSS and ssh public key question Trygve Aasheim (Jun 10)
- Re: PCI-DSS and ssh public key question Lee Brotherston (Jun 10)
  - Re: PCI-DSS and ssh public key question B.K. DeLong (Jun 10)
- Re: PCI-DSS and ssh public key question Paul Melson (Jun 10)