IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Security Forum / Well, we're definitely not a small merchant
Post #291,138
by jbrabeck
8/19/07 12:22:24 PM
8/19/07 12:23:58 PM
Reply
New Well, we're definitely not a small merchant
And this is our first pass at PCI compliance. I've already annotated the lack of virus scans on the mainframe and the Sun boxes... :-) You are right in that the focus of these questions is definitely Windows based. However...

I have the IG office following right behind me. They are checking my work, ensuring that my questions did deep enough and that I don't ignore anything.

I wish we were a smaller organization. I have to tromp though many fiefdoms to get the info. The test say to document how we comply. The normal reply I've been getting back is "yes we comply". I'm glad that some of these questions can be applied enterprise wide, as we have many applications that must be certified PCI compliant. This is just number one.

From what I've been told, if we were to only keep the auth number and iirc last 4 of the PAN, then we would not have to comply with all these standards because we would not have any PCI sensitive data. For some reason HQ decided to keep the full PAN.

/rant
A positive attitude may not solve all your problems, but it will annoy enough people to make it worth the effort. (Herm Albright)
Collapse Edited by jbrabeck Aug. 19, 2007, 12:23:58 PM EDT
Well, we're definitely not a small merchant
And this is our first pass at PCI compliance. I've already annotated the lack of virus scans on the mainframe and the Sun boxes... :-)

I have the IG office following right behind me. They are checking my work, ensuring that my questions did deep enough and that I don't ignore anything.

I wish we were a smaller organization. I have to tromp though many fiefdoms to get the info. The test say to document how we comply. The normal reply I've been getting back is "yes we comply". I'm glad that some of these questions can be applied enterprise wide, as we have many applications that must be certified PCI compliant. This is just number one.

From what I've been told, if we were to only keep the auth number and iirc last 4 of the PAN, then we would not have to comply with all these standards because we would not have any PCI sensitive data. For some reason HQ decided to keep the full PAN.

/rant
A positive attitude may not solve all your problems, but it will annoy enough people to make it worth the effort. (Herm Albright)
Collapse All History
     Data recovery on Striped drives - (jbrabeck) - (19) - Aug. 17, 2007, 01:54:01 PM EDT
         Any recovery would be pretty unlikely - (Andrew Grygus) - Aug. 17, 2007, 02:13:24 PM EDT
         You may be Ok, but not guaranteed safe. - (Another Scott) - Aug. 17, 2007, 02:15:44 PM EDT
         can useful information be pulled and re-assembled by block? - (boxley) - Aug. 17, 2007, 02:22:23 PM EDT
         Depends on chunk size and what you are hiding - (crazy) - Aug. 17, 2007, 04:31:10 PM EDT
         Thanks for all the replys, let's add clarification - (jbrabeck) - (14) - Aug. 18, 2007, 06:19:28 AM EDT
             Move the risk? - (pwhysall) - (10) - Aug. 18, 2007, 06:22:01 AM EDT
                 That will be one of my suggestions. -NT - (jbrabeck) - Aug. 18, 2007, 06:38:46 AM EDT
                 Bulk Erase Tape Demanetizer. - (folkert) - (8) - Aug. 18, 2007, 08:44:46 PM EDT
                     Can't use it if they expect to reuse the hard disk - (crazy) - (7) - Aug. 18, 2007, 08:53:28 PM EDT
                         That doesn't matter, if the disk has sensitive info. - (folkert) - (6) - Aug. 18, 2007, 11:57:48 PM EDT
                             Sigh - (crazy) - (5) - Aug. 19, 2007, 12:35:52 AM EDT
                                 If its PCI, its gotta be done. - (folkert) - (4) - Aug. 19, 2007, 02:03:36 AM EDT
                                     I"ve had to live with these requirements - (jbrabeck) - (1) - Aug. 19, 2007, 07:59:06 AM EDT
                                         There is a certain point... that enough non-compliance... - (folkert) - Aug. 19, 2007, 11:49:44 AM EDT
                                     I've done PCI before - (crazy) - (1) - Aug. 19, 2007, 11:57:40 AM EDT
                                         Well, we're definitely not a small merchant - (jbrabeck) - Aug. 19, 2007, 12:23:58 PM EDT
             that SHOULD be covered in your contract with EMC -NT - (boxley) - Aug. 18, 2007, 07:30:28 AM EDT
             What Peter and Box said. - (static) - Aug. 18, 2007, 08:52:59 AM EDT
             Like others said, but, that's pure political - (crazy) - Aug. 18, 2007, 03:15:49 PM EDT

I seem to remember a rather Stupid rendition sometime back.
40 ms