On 22/08/2010, at 8:43 AM, Miguel Arroz wrote:
Hi!
On 2010/08/21, at 23:30, Q wrote:
On the other hand, some of those questions have a very vague interpretation, and others are just plain stupid (like asking if you have an anti-virus installed on all your company computers, or asking if you have a proper configured firewall, whatever that means). I'm not defending PCI here, just saying you can get burned.
That's what the compensating controls section is for. The questions have an underlying risk that they try to protect against. In the case of antivirus software, it is to prevent the surreptitious installation of malicious or otherwise unauthorised software on your systems. If you can provide this security by other means then you detail it as a compensating control.
That may be true for the anti-virus thing, but what about the Firewall? What's a correctly configured firewall? In what way the firewall prevents an attack using HTTP by exploiting a non-obvious bug in my app?
It doesn't. But it is about identifying potential risk, both present and future. In the case of a firewall you should be considering allowing only access to the required services and denying all else. If you do this you protect your future self from the risk of having software that doesn't need public access being used as an attack vector, even though you might not be even using that software yet.
Some of those questions seem irrelevant or misleading to me. It looks like some kind of "one size fits all" kind of certification which ends up being pointless. I would rather have people who can THINK writing the code where my credit card goes trough, than a firewall.
It's not just about the code you write. You need to think like a black hat, often there are far easier ways to compromise a system than head on. Your most vulnerable point is the thing you pay the least attention to, the PCI self assessment is intended to get you to pay attention to as many facets of the card processing ecosystem as possible.
If you approach the PCI guidelines as "what's the minimum I need to do to be compliant" you have failed the exercise. If you instead see it as "what are the risks I need to consider based on these requirements and how do I protect against them" and adapt them to your environment you are off to a much better start.
Every one of the questions have merit, some of them may not be so obvious to your situation, but the ones that seem pointless are probably the ones you need to be the most sure of.
But I have a bad temper, specially when filling endless irritating forms. ;)