Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Dailydave: Re: PCI-DSS and ssh public key question

Re: PCI-DSS and ssh public key question

From: B.K. DeLong <bkdelong_at_pobox.com>
Date: Tue, 10 Jun 2008 11:22:01 -0400

Not to get too off-topic but one of the questions many merchants have
been asking is how willing is the QSA to standup for their audit
findings and PCI Compliance certification? Hannaford is obviously one
of the more recent examples as they were deemed compliant and yet they
had a fairly large breach.

It's not news that every QSA is different and some are far more strict
than others - are there any accountability standards for QSAs? Can the
PCI Council or the card acquirer effected sanction a QSA for an audit
that was too lenient? Yes, PCI Compliance does not equal being secure
by any means but that is definitely an end-goal of the PCI-DSS (with
another major one being the game of risk transference).

I would also followup Lee's comments, (to keep this on topic), to make
sure said compensating control is proposed to the QSA in writing and
approved by them in writing to maintain the full audit trail. I've
heard of quite a few cases where an auditor says one thing and the
acquirer or Council says another and no one can find the paperwork to
reconcile.

On Tue, Jun 10, 2008 at 4:00 AM, Lee Brotherston <lee_at_nerds.org.uk> wrote:
> On Mon, Jun 09, 2008 at 04:27:14PM -0400, Paul Wouters wrote:
>> Does anyone have a definitive answer on whether ssh public key encryption,
>> without hardware tokens, is allowed according to PCI-DSS?
>
> Unfortunately the PCI-DSS standard is generally fluffy enough that
> there is no definitive answer to much of it. I would say the best
> course of action is to ask your QSA when they are doing your gap
> analysis. After all, it's their opinion that counts, at least from
> the perspective of getting the accreditation anyway. 

-- 
B.K. DeLong (K3GRN)
bkdelong_at_pobox.com
+1.617.797.8471
http://www.wkdelong.org Son.
http://www.ianetsec.com Work.
http://www.bostonredcross.org Volunteer.
http://www.carolingia.eastkingdom.org Service.
http://bkdelong.livejournal.com Play.
PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE
FOAF:
http://foaf.brain-stream.org
_______________________________________________
Dailydave mailing list
Dailydave_at_lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Received on Jun 10 2008
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]