WebApp Sec mailing list archives
RE: PCI DSS Compliance
From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Wed, 21 Dec 2005 07:04:41 +1100
I don't think it's a question of the PCI document being right or wrong, but of compliance to a set of domumented requirements in order to either stay in business or minimise financial impact on a company if a security breach involving credit cards occurs. PCI requires, among 190+ other things, vuln scanning of all internet facing systems, and those internal systems that process cardholder data, not the entire internal network. PCI also requires an annual pen-test, to attempt to exploit scanning-discovered vulnerabilities. Of course you may choose to scan the rest of the entire network as part of enterprise security management. lyal -----Original Message----- From: Pete Herzog [mailto:lists () isecom org] Sent: Tuesday, 20 December 2005 2:03 AM To: Craig Wright Cc: syedma () microland net; mjohnso6 () optonline net; Ademar Gonzalez; webappsec () securityfocus com Subject: Re: PCI DSS Compliance Craig Wright wrote:
An automated, not verified process does not meet the scaning/testing requirements. It is thus entirely irrelivant to the discussion as it >
will not help you be compliant. The question was about whether assuring all known vulns are patched by disabling all security controls is correct. That was the question which prompted my discussion about PCI. For me, vuln scanning an entire network is very wrong and a pointless task. And I think it's important we challenge notions we suspect to be wrong either to fix them or correct ourselves. I am proud of you for reading the whole PCI document and all associated pages but what good does it do you if it isn't correct? -pete.
Current thread:
- RE: PCI DSS Compliance, (continued)
- RE: PCI DSS Compliance Steve Kerns (Dec 15)
- Re: PCI DSS Compliance Ademar Gonzalez (Dec 15)
- RE: PCI DSS Compliance Lyal Collins (Dec 16)
- Re: PCI DSS Compliance Ademar Gonzalez (Dec 15)
- RE: PCI DSS Compliance Craig Wright (Dec 16)
- RE: PCI DSS Compliance Steven Jones (Dec 16)
- Re: PCI DSS Compliance null0 (Dec 18)
- RE: PCI DSS Compliance Craig Wright (Dec 18)
- Re: PCI DSS Compliance Pete Herzog (Dec 18)
- RE: PCI DSS Compliance Craig Wright (Dec 19)
- Re: PCI DSS Compliance Pete Herzog (Dec 20)
- RE: PCI DSS Compliance Lyal Collins (Dec 20)
- Re: PCI DSS Compliance Pete Herzog (Dec 29)
- RE: PCI DSS Compliance Lyal Collins (Dec 29)
- Re: PCI DSS Compliance Pete Herzog (Dec 20)
- RE: PCI DSS Compliance Steve Kerns (Dec 15)
- Re: PCI DSS Compliance Roberto Tanara (Dec 21)
- RE: PCI DSS Compliance Lyal Collins (Dec 21)
- Re: PCI DSS Compliance Roberto Tanara (Dec 22)