[GRLUG] PCI v1.2 Compliance.

Adam Tauno Williams awilliam at whitemice.org
Wed Dec 10 16:05:50 EST 2008 

On Wed, 2008-12-10 at 15:21 -0500, Greg Folkert wrote:
> All I can say it *IT SUCKS*.

Actually I think PCI is a pretty good standard.  I think 98% of the
recommendations are solid/good practices.   And it makes a nice club to
beat good security practices into an organization.

> Effectively, you have to be running an IDS at all times for all network
> traffic.

Or at least all traffic ingress/egress-ing from a machine with payment
card information.   Also you get a score regarding your PCI/DSS
compliance,  almost nobody is 100% compliant;  PCI/DSS compliance is
used as a risk analysis tool.

Personally this one bugs me because I haven't met an IDS yet that I
think is worth the trouble;  if there is a category for crappy over-sold
software then IDS is such a category.

> Also have to be running Anti-Virus on Linux machines that even "look
> like they might have CHD" near them.

Yes, I don't see why that is a problem.  Install CLAMAV.

> Also have to have logging (transactional and logins and traffic) going
> back for 90 days minimum.

All good.

> You are forced to have a "comprehensive" application firewall setup
> (like mod_security2 for Apache2) that actively blocks all "known"
> exploits and prevents common practices. This effective eliminates *ANY*
> CMS transaction handling of *ANY* card holder data.
> SOAP/XML/Stremaing/AJAX virtually non-usable now unless fully double
> encrypted in both directions with unique keys on a regularly updated
> process.

It is difficult to interpret what it pragmatically means in some
circumstances.   It does pose some real problems for allot of CMS and
web systems,  but perhaps this is because most CMS / AJAX sites are
ridiculously insecure.    Language like "all known",  all known to whom?
It most cases regarding legal contracts such as SLAs this is really a
requirement for best-effort using accepted best practices.

> Disk Encryption for most everything application related must be used,
> goodbye NFS anything. 

I believe current versions of NFS are quite secure;  the latest versions
of NFS can even perform authorization via GSSAPI.

> NO WIRELESS PERIOD. WPA2 suspect now and likely to become non-allowed
> shortly.

I don't believe WPA2 (if we mean PEAP or EAP-TLS + TKIP or AES) is
suspect.  The recent reports of exploitation were grossly exaggerated.

> FYI, these are just a few of the things we have been told etc...

More information about the grlug mailing list