• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Cloud Computing and PCI Compliance
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cloud Computing and PCI Compliance


  • Subject: Re: Cloud Computing and PCI Compliance
  • From: Q <email@hidden>
  • Date: Sun, 22 Aug 2010 10:02:29 +1000


On 22/08/2010, at 8:43 AM, Miguel Arroz wrote:

Hi!

On 2010/08/21, at 23:30, Q wrote:

  On the other hand, some of those questions have a very vague interpretation, and others are just plain stupid (like asking if you have an anti-virus installed on all your company computers, or asking if you have a proper configured firewall, whatever that means). I'm not defending PCI here, just saying you can get burned.


That's what the compensating controls section is for. The questions have an underlying risk that they try to protect against. In the case of antivirus software, it is to prevent the surreptitious installation of malicious or otherwise unauthorised software on your systems. If you can provide this security by other means then you detail it as a compensating control.

  That may be true for the anti-virus thing, but what about the Firewall? What's a correctly configured firewall? In what way the firewall prevents an attack using HTTP by exploiting a non-obvious bug in my app?

It doesn't. But it is about identifying potential risk, both present and future. In the case of a firewall you should be considering allowing only access to the required services and denying all else. If you do this you protect your future self from the risk of having software that doesn't need public access being used as an attack vector, even though you might not be even using that software yet. 

  Some of those questions seem irrelevant or misleading to me. It looks like some kind of "one size fits all" kind of certification which ends up being pointless. I would rather have people who can THINK writing the code where my credit card goes trough, than a firewall.

It's not just about the code you write. You need to think like a black hat, often there are far easier ways to compromise a system than head on. Your most vulnerable point is the thing you pay the least attention to, the PCI  self assessment is intended to get you to pay attention to as many facets of the card processing ecosystem as possible.

If you approach the PCI guidelines as "what's the minimum I need to do to be compliant" you have failed the exercise. If you instead see it as "what are the risks I need to consider based on these requirements and how do I protect against them" and adapt them to your environment you are off to a much better start.

Every one of the questions have merit, some of them may not be so obvious to your situation, but the ones that seem pointless are probably the ones you need to be the most sure of.


  But I have a bad temper, specially when filling endless irritating forms. ;)

I completely understand :)


-- 

Seeya...Q


Quinton Dolan - email@hidden

Gold Coast, QLD, Australia (GMT+10)





 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

  • Follow-Ups:
    • Re: Cloud Computing and PCI Compliance
      • From: Miguel Arroz <email@hidden>
References: 
 >Cloud Computing and PCI Compliance (From: Kieran Kelleher <email@hidden>)
 >Re: Cloud Computing and PCI Compliance (From: Simon <email@hidden>)
 >Re: Cloud Computing and PCI Compliance (From: Miguel Arroz <email@hidden>)
 >Re: Cloud Computing and PCI Compliance (From: Simon <email@hidden>)
 >Re: Cloud Computing and PCI Compliance (From: Q <email@hidden>)
 >Re: Cloud Computing and PCI Compliance (From: Miguel Arroz <email@hidden>)

  • Prev by Date: Re: Cloud Computing and PCI Compliance
  • Next by Date: Re: Cloud Computing and PCI Compliance
  • Previous by thread: Re: Cloud Computing and PCI Compliance
  • Next by thread: Re: Cloud Computing and PCI Compliance
  • Index(es):
    • Date
    • Thread