WebApp Sec mailing list archives
Re: PCI DSS Compliance
From: Pete Herzog <lists () isecom org>
Date: Thu, 29 Dec 2005 11:25:54 +0100
Lyal, all, Sorry for the delay-- I had vacation. Lyal Collins wrote:
I don't think it's a question of the PCI document being right or wrong, but of compliance to a set of domumented requirements in order to either stay in business or minimise financial impact on a company if a security breach involving credit cards occurs.
This is indeed a problem where compliance is seen as protection. The two are very often not the same. Why accept the PCI document as one
that minimizes financial impact, privacy breaches, etc. if the premiseonly scratches the surface of the definition of protection? We cannot simply accept that products, blacklists, and the products that love them are to be regulations. Compliance should be simply the do's and don'ts of protection and loss controls with metrics to assure compliance. Remember that best practices are not best for all. The protection requirements should be documented but not the process of achieving them.
PCI requires, among 190+ other things, vuln scanning of all internet facing systems, and those internal systems that process cardholder data, not the entire internal network. PCI also requires an annual pen-test, to attempt to exploit scanning-discovered vulnerabilities. Of course you may choose to scan the rest of the entire network as part of enterprise security management.
Pen tests are another thing that are also poor security tests. Requiring a pen test is barely better than requiring a vulnerabilityscan of systems that hold cardholder data. But maybe I don't understand what you mean by pen test. To me it's a test for exploiting weaknesses in a network to raise privileges and meet a pre-assigned goal (such as card member data).
In that case a pen test is big mistake. A black box pen test can only ever be favorable to the client as opposed to one where the tester has more information about the network, the systems, the processes, and the alert/alarm profile. The latter is more beneficial to the card holders and the card issuers because it would mean something about testing protection and loss controls and not just the tester's skills.
Sure PCI is about compliance but takes the wrong approach to be aboutprotection and loss controls. For example, just asking for a third-party every year is such a huge generalization because if you consider the speed of progress, then shouldn't sites with more interactions, a greater scope, need more frequent audits than smaller ones? If this was based on a metric, you could assure audits were done whenever the metric reached an unsavory number.
I know this document came out to improve things but it's still far from that goal.
Sincerely, -pete.
Current thread:
- Re: PCI DSS Compliance, (continued)
- Re: PCI DSS Compliance Ademar Gonzalez (Dec 15)
- RE: PCI DSS Compliance Lyal Collins (Dec 16)
- Re: PCI DSS Compliance Ademar Gonzalez (Dec 15)
- RE: PCI DSS Compliance Craig Wright (Dec 16)
- RE: PCI DSS Compliance Steven Jones (Dec 16)
- Re: PCI DSS Compliance null0 (Dec 18)
- RE: PCI DSS Compliance Craig Wright (Dec 18)
- Re: PCI DSS Compliance Pete Herzog (Dec 18)
- RE: PCI DSS Compliance Craig Wright (Dec 19)
- Re: PCI DSS Compliance Pete Herzog (Dec 20)
- RE: PCI DSS Compliance Lyal Collins (Dec 20)
- Re: PCI DSS Compliance Pete Herzog (Dec 29)
- RE: PCI DSS Compliance Lyal Collins (Dec 29)
- Re: PCI DSS Compliance Pete Herzog (Dec 20)
- Re: PCI DSS Compliance Roberto Tanara (Dec 21)
- RE: PCI DSS Compliance Lyal Collins (Dec 21)
- Re: PCI DSS Compliance Roberto Tanara (Dec 22)