Hello,
PCI is a contractual arrangement. It is not legistlative.
So the answer is a resonding maybe. OR and it depends.
If the Managed IDS [MIDS] supplier is specifically stating that they are
offering PCI-DSS services, than they would have to meet the requirements in
either case or it is a trade practices/unfair dealings/false statement issue.
This is either a civil tort or criminal offense.
The onus is for the merchant or issuer using the MIDS to ensure that they have
a contract stating this. Section 12.8 states:
12.8 If cardholder data is shared with service providers, then contractually
the following is required:
12.8.1 Service providers must adhere to the PCI DSS requirements
12.8.2 Agreement that includes an acknowledgement that the service provider is
responsible for the security of cardholder data the provider possesses.
This is a contractual arrangement. You also need to read Requirement A.1:
Hosting providers protect cardholder data environment
If the merchant etc did not contract to have the provider be PCI-DSS compliant
and the provider did not explicitly state that they are, then the merchant is
in breach of the PCI-DSS - and NOT the MIDS provider.
Regards,
Craig
Craig Wright
Manager of Information Systems
Direct : +61 2 9286 5497
Craig.Wright@bdo.com.au
+61 417 683 914
BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au
Liability limited by a scheme approved under Professional Standards Legislation
in respect of matters arising within those States and Territories of Australia
where such legislation exists.
The information in this email and any attachments is confidential. If you are
not the named addressee you must not read, print, copy, distribute, or use in
any way this transmission or any information it contains. If you have received
this message in error, please notify the sender by return email, destroy all
copies and delete it from your system.
Any views expressed in this message are those of the individual sender and not
necessarily endorsed by BDO Kendalls. You may not rely on this message as
advice unless subsequently confirmed by fax or letter signed by a Partner or
Director of BDO Kendalls. It is your responsibility to scan this communication
and any files attached for computer viruses and other defects. BDO Kendalls
does not accept liability for any loss or damage however caused which may
result from this communication or any files attached. A full version of the
BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO
Kendalls website at http://www.bdo.com.au or by emailing
administrator@bdo.com.au.
BDO Kendalls is a national association of separate partnerships and entities.
________________________________
From: listbounce@securityfocus.com on behalf of marino.zini@uk.clara.net
Sent: Fri 24/08/2007 1:37 AM
To: focus-ids@securityfocus.com
Subject: PCI/DSS compliant Managed IDS
Would Managed Security Company providing a Managed IDS service for a company
with Tier 1 PCI/DSS compliance have to be PCI/DSS compiaant itself?
Does anyone have an opinion or experience with this?
regards
Marino
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
