Re: Cloud Computing and PCI Compliance
Re: Cloud Computing and PCI Compliance
- Subject: Re: Cloud Computing and PCI Compliance
- From: Miguel Arroz <email@hidden>
- Date: Sat, 21 Aug 2010 23:43:12 +0100
Hi!On 2010/08/21, at 23:30, Q wrote: On the other hand, some of those questions have a very vague interpretation, and others are just plain stupid (like asking if you have an anti-virus installed on all your company computers, or asking if you have a proper configured firewall, whatever that means). I'm not defending PCI here, just saying you can get burned.
That's what the compensating controls section is for. The questions have an underlying risk that they try to protect against. In the case of antivirus software, it is to prevent the surreptitious installation of malicious or otherwise unauthorised software on your systems. If you can provide this security by other means then you detail it as a compensating control.
That may be true for the anti-virus thing, but what about the Firewall? What's a correctly configured firewall? In what way the firewall prevents an attack using HTTP by exploiting a non-obvious bug in my app?
Some of those questions seem irrelevant or misleading to me. It looks like some kind of "one size fits all" kind of certification which ends up being pointless. I would rather have people who can THINK writing the code where my credit card goes trough, than a firewall.
But I have a bad temper, specially when filling endless irritating forms. ;)
Regards
Miguel Arroz |
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden