mailing list archives
RE: PCI DSS
From: "Craig Wright" <Craig.Wright () bdo com au>
Date: Thu, 23 Aug 2007 08:21:05 +1000
Spend some time and go to the PCI Council site. http://www.pcicouncil.org. Read the standards and the requirements.
No matter what size your organisation is you have to meet the standards if you take card holder information. No matter
the size of your organisation you have to comply - if you take cards - it is in the contract.
Worse still even small organisations need to sign a document attesting that they have met the standard. The issue here
is that this is not just that you have had a scan - but that you meet ALL 12 areas of the standard or have SUITABLE
A scan from an ASV is not compliance with the standard. In addition for instance, the following is an extract from the
standard - which applies to all parties covered by the PCI-DSS:
"11.3 Perform penetration testing at least once a year and after any significant infrastructure or application upgrade
or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to
the environment). These penetration tests must include the following:
11.3.1 Network-layer penetration tests
11.3.2 Application-layer penetration tests."
These do not need to be done through an ASV or audit firm, you get to choose the pen test party that best suits you.
Either way - you need to have this done to be compliant.
Worst of all. For all the small merchants signing that they have met the standard, they may be guilty of fraud at worst
and a negligent misstatement at best. The ASV is not the one who gets into trouble, the merchant/issuer is.
As a merchant you have to meet the standard, it is your requirement and no amount of paper from auditors and vendors
will aid you if you are in breach. So when choosing the ASV - remember that you set the scope - allow them and you get
You have to answer the following questionnaire:
As stated, this is a legal document - which many people seem not to understand. Lying or attempting to mislead yourself
on the answers only hurts yourself.
Take the rarely implemented point 3.5, the self assessment asks:
"Are account numbers (in databases, logs, files, backup media, etc.) stored securely- for example, by means of
encryption or truncation?"
This means that there is either the data stored AND encrypted or it is cut off and not stored. EFS is not database
encryption - this means table or field encryption in the database. Tick yes as you do an XOR (as I have seen at leats
15 firms do) is not acceptable. The standard defines the types and formats. As the security or Risk manager who signs
this, if you have not implemented encryption - really implemented it using an approved algorithm (Eg AES) - than
signing this may be a criminal offence.
In Australia this is covered in the Corporations Act S1309A (False or Misleading Statements) and this can have a
penalty of several years goal time.
So the PCI is more than just a little tick list that gets in the way. It is your responsibility - not the ASV. CYA.
Manager of Information Systems
Direct : +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914
BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within
those States and Territories of Australia where such legislation exists.
The information in this email and any attachments is confidential. If you are not the named addressee you must not
read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have
received this message in error, please notify the sender by return email, destroy all copies and delete it from your
Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls.
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or
Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer
viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may
result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au
BDO Kendalls is a national association of separate partnerships and entities.
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of security guy
Sent: Thursday, 23 August 2007 2:22 AM
To: security-basics () securityfocus com
Subject: PCI DSS
From what I can see there seem to be some inconsistencies between the
PCI-DSS scanning guidelines and the cost of services offered by the
ASVs. The testing process to become an ASV seems to require a certain
degree of manual testing but there are plenty of companies offering
deals such as £75 for the testing of entire host ranges. Are companies
doing a full manual test on the assessment and then just chucking a
load of automated scanners at the hosts the test commercially
afterwards? Surely there's no way any test-house can manually test
even a single hosts at that cost!
- PCI DSS security guy (Aug 22)
- RE: PCI DSS Craig Wright (Aug 23)