RE: PCI DSS Compliance

["Lyal Collins" <lyal.collins () key2it com au>]

I don't think it's a question of the PCI document being right or wrong, but
of compliance to a set of domumented requirements in order to either stay in
business or minimise financial impact on a company if a security breach
involving credit cards occurs.

PCI requires, among 190+ other things, vuln scanning of all internet facing
systems, and those internal systems that process cardholder data, not the
entire internal network.  PCI also requires an annual pen-test, to attempt
to exploit  scanning-discovered vulnerabilities.  Of course you may choose
to scan the rest of the entire network as part of enterprise security
management.

lyal

-----Original Message-----
From: Pete Herzog [mailto:lists () isecom org] 
Sent: Tuesday, 20 December 2005 2:03 AM
To: Craig Wright
Cc: syedma () microland net; mjohnso6 () optonline net; Ademar Gonzalez;
webappsec () securityfocus com
Subject: Re: PCI DSS Compliance



Craig Wright wrote:
> An automated, not verified process does not meet the scaning/testing
> requirements. It is thus entirely irrelivant to the discussion as it  >
will not help you be compliant.

The question was about whether assuring all known vulns are patched by 
disabling all security controls is correct.  That was the question which 
prompted my discussion about PCI.  For me, vuln scanning an entire 
network is very wrong and a pointless task.  And I think it's important 
we challenge notions we suspect to be wrong either to fix them or 
correct ourselves.  I am proud of you for reading the whole PCI document 
and all associated pages but what good does it do you if it isn't correct?

-pete.