[GRLUG] PCI v1.2 Compliance.

Greg Folkert greg at gregfolkert.net
Wed Dec 10 15:21:34 EST 2008


All I can say it *IT SUCKS*.

Effectively, you have to be running an IDS at all times for all network
traffic.

Also have to be running Anti-Virus on Linux machines that even "look
like they might have CHD" near them.

Also have to have logging (transactional and logins and traffic) going
back for 90 days minimum.

You are forced to have a "comprehensive" application firewall setup
(like mod_security2 for Apache2) that actively blocks all "known"
exploits and prevents common practices. This effective eliminates *ANY*
CMS transaction handling of *ANY* card holder data.
SOAP/XML/Stremaing/AJAX virtually non-usable now unless fully double
encrypted in both directions with unique keys on a regularly updated
process.

Disk Encryption for most everything application related must be used,
goodbye NFS anything. 

NO WIRELESS PERIOD. WPA2 suspect now and likely to become non-allowed
shortly.

FYI, these are just a few of the things we have been told etc...
-- 
greg at gregfolkert.net
PGP key 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0  2B3A ED66 6971 B524 687C
Alternate Fingerprint: 09F9 1102 9D74  E35B D841 56C5 6356 88C0
Alternate Fingerprint: 455F E104 22CA  29C4 933F 9505 2B79 2AB2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://shinobu.grlug.org/pipermail/grlug/attachments/20081210/25179ffd/attachment-0001.pgp 


More information about the grlug mailing list