Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: PCI DSS Compliance

from [Craig Wright] Network Security [Permanent Link]
Subject: RE: PCI DSS Compliance
Date: Mon, 19 Dec 2005 20:23:00 +1100 

The entire document and all associated pages.
 
An automated, not verified process does not meet the scaning/testing 
requirements. It is thus entirely irrelivant to the discussion as it will not 
help you be compliant.
 
All up for "simple systems" and low volume site requiring low level testing 
have still over 100 pages of requirement documents. The summary of 12 points is 
not the entire process. There are separate scan and testing processed that need 
to be done.
 
Application tests need to be done.
A method to ensure that all systems are single use need to be implemented
etc etc
 
As stated - this is for Low volume simple sites. More detailed sites need to be 
formally audited to a level that make a SAS 70 part 2 look simple.
 
CardSystems was never compliant for example as they never had a valid test as 
per the PCI DSS.
 
Craig

        -----Original Message----- 
        From: Pete Herzog [mailto:lists@isecom.org] 
        Sent: Mon 19/12/2005 6:12 PM 
        To: Craig Wright 
        Cc: syedma@microland.net; mjohnso6@optonline.net; Ademar Gonzalez; 
webappsec@securityfocus.com 
        Subject: Re: PCI DSS Compliance
        
        > Read the document
        >
        > You have to verify the port - this is one section of the document. 
When
        > you read all the requirements than judge.
        
        I did read it.  Did you even read my post?  I had only commented on the
        automated, not verified process that appeared to be used by this
        particular vendor and then on the senselessness of the process (the myth
        of patching).
        
        -pete.
        


         


Liability limited by a scheme approved under Professional Standards Legislation 
in respect of matters arising within those States and Territories of Australia 
where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If 
you are not the intended recipient, you must not use or disclose the 
information. If you have received this email in error, please inform us 
promptly by reply email or by telephoning +61 2 9286 5555. Please delete the 
email and destroy any printed copy.  

Any views expressed in this message are those of the individual sender. You may 
not rely on this message as advice unless it has been electronically signed by 
a Partner of BDO or it is subsequently confirmed by letter or fax signed by a 
Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments 
due to viruses, interference, interception, corruption or unauthorised access.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: PCI DSS Compliance, Pete Herzog
Next by Date:  RE: Mambo, Coppermine and PHPBB Attacks, John Cobb
Previous by Thread:  Re: PCI DSS Compliance, Pete Herzog
Next by Thread:  Re: PCI DSS Compliance, Pete Herzog
Indexes:  [Date] [Thread] [Top] [All Lists]