IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Security Forum / I've done PCI before
Post #291,137
by crazy
8/19/07 11:57:40 AM
Reply
New I've done PCI before
I seem to recall (from my point of view) the level of effort was based on how many transactions you dealt with. That way small companies would not be killed by the overhead of dealing with it,

Also, I remember our Unix admin getting really pissed when we would not allow him to explain to the auditors that a particular sysem was Linux, did not have inbound email, did not present any shares using ANY protocol, was accessed strictly via secure shell from me and him, and had it's own very restrictive firewall settings and DID NOT NEED WINDOWS VIRUS SCANNING!

After meeting with the auditors once, we realized it was far easier to setup bullshit technical "fixes" that we could then check-off the list. The admin was ready to kill me. He was a talker, and was furious that we'd require him to setup and maintain software (including ongoing signature updates).

And then the flip side was worse. These auditors did not like the way something was done under Windows. My Windows admin pulls out the MS book, highlights the phrase "best practicies", and they then corrected their check-off lists to included whatever our admin told them.

Idiots.
Post #291,138
by jbrabeck
8/19/07 12:22:24 PM
8/19/07 12:23:58 PM
Reply
New Well, we're definitely not a small merchant
And this is our first pass at PCI compliance. I've already annotated the lack of virus scans on the mainframe and the Sun boxes... :-) You are right in that the focus of these questions is definitely Windows based. However...

I have the IG office following right behind me. They are checking my work, ensuring that my questions did deep enough and that I don't ignore anything.

I wish we were a smaller organization. I have to tromp though many fiefdoms to get the info. The test say to document how we comply. The normal reply I've been getting back is "yes we comply". I'm glad that some of these questions can be applied enterprise wide, as we have many applications that must be certified PCI compliant. This is just number one.

From what I've been told, if we were to only keep the auth number and iirc last 4 of the PAN, then we would not have to comply with all these standards because we would not have any PCI sensitive data. For some reason HQ decided to keep the full PAN.

/rant
A positive attitude may not solve all your problems, but it will annoy enough people to make it worth the effort. (Herm Albright)
Expand Edited by jbrabeck Aug. 19, 2007, 12:23:58 PM EDT
Expand All History
     Data recovery on Striped drives - (jbrabeck) - (19) - Aug. 17, 2007, 01:54:01 PM EDT
         Any recovery would be pretty unlikely - (Andrew Grygus) - Aug. 17, 2007, 02:13:24 PM EDT
         You may be Ok, but not guaranteed safe. - (Another Scott) - Aug. 17, 2007, 02:15:44 PM EDT
         can useful information be pulled and re-assembled by block? - (boxley) - Aug. 17, 2007, 02:22:23 PM EDT
         Depends on chunk size and what you are hiding - (crazy) - Aug. 17, 2007, 04:31:10 PM EDT
         Thanks for all the replys, let's add clarification - (jbrabeck) - (14) - Aug. 18, 2007, 06:19:28 AM EDT
             Move the risk? - (pwhysall) - (10) - Aug. 18, 2007, 06:22:01 AM EDT
                 That will be one of my suggestions. -NT - (jbrabeck) - Aug. 18, 2007, 06:38:46 AM EDT
                 Bulk Erase Tape Demanetizer. - (folkert) - (8) - Aug. 18, 2007, 08:44:46 PM EDT
                     Can't use it if they expect to reuse the hard disk - (crazy) - (7) - Aug. 18, 2007, 08:53:28 PM EDT
                         That doesn't matter, if the disk has sensitive info. - (folkert) - (6) - Aug. 18, 2007, 11:57:48 PM EDT
                             Sigh - (crazy) - (5) - Aug. 19, 2007, 12:35:52 AM EDT
                                 If its PCI, its gotta be done. - (folkert) - (4) - Aug. 19, 2007, 02:03:36 AM EDT
                                     I"ve had to live with these requirements - (jbrabeck) - (1) - Aug. 19, 2007, 07:59:06 AM EDT
                                         There is a certain point... that enough non-compliance... - (folkert) - Aug. 19, 2007, 11:49:44 AM EDT
                                     I've done PCI before - (crazy) - (1) - Aug. 19, 2007, 11:57:40 AM EDT
                                         Well, we're definitely not a small merchant - (jbrabeck) - Aug. 19, 2007, 12:23:58 PM EDT
             that SHOULD be covered in your contract with EMC -NT - (boxley) - Aug. 18, 2007, 07:30:28 AM EDT
             What Peter and Box said. - (static) - Aug. 18, 2007, 08:52:59 AM EDT
             Like others said, but, that's pure political - (crazy) - Aug. 18, 2007, 03:15:49 PM EDT

I should drag your fat arse over here and make you clean the coffee off my monitor.
91 ms