Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13

Thread: Payment Card Industry (PCI) Data Security Standard

  1. #11
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177

    Re: Re:

    Originally posted here by SysLog
    You are right, no single vendor can go the distance and claim complete support for all the requirements that the compliance regulators pose.

    There was this whitepaper from Symantec on PCIDSS
    (free registration is required to view the doc.) where he has mentioned that sections 1, 3 & 9 are not covered by Syamtec solutions.

    Also i can across many vendors like NetForensics , EventLog Analyzer , SenSage who provide compliance reports.

    But i guess, no software tool can entirely model all the nitty-gritties of the compliance requirements, but ofcourse they can only assist us to some extent, which makes the above tools useful for sysadmins / management during audits.
    Yes, the tools are good for the client. As a QDSP who works for a large QDSC, we don't use any specific programs. I mean, we use nessus when we scan, and things like that, but we have our own Office documents that we use to take notes and track items checked, and generate a ROC...but there is no automated plug-in solution that spits out a big green checkmark or big red X to indicate pass or fail.

    Check out the PCI assessors forum. They call it the "Auditor Community Site", but Visa^UPCI makes a big deal about using the term ASSESSMENT and ASSESSOR, not AUDIT, due to the liability and legal ramifications of those 2 different words...
    http://www.pcifile.org/
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  2. #12
    Junior Member
    Join Date
    Jul 2006
    Posts
    8

    Re: PCI-DSS

    Thanks zencoder,

    From the required software tools perspective what i could articulate from some of the discussions in the pcifile forums is that we must have some basic tools like vulnerability scanner (like nessus, eEye, scanfi, etc...), log forensics tools (like netforensics, fwanalyzer, loglogic, ...), remediation tools (like patchquest, shavlik..) etc. with good reporting would go a long way in assisting us during our audits...oops..assessment . But of course, as mentioned there is no "single size fits all" solution to PCI

    Guess i will recommend some of the thoughts from the discussions at these forums to my organization!

  3. #13
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    how can we do audits when the requirements are so generalized, this is really tough on the merchants and sys admin guys
    They have to be high level in order to blanket everyone. Each entity has specifics that will fall within the general requirements. If they were to say something like, "Passwords must be 10 chars long..." This may pose operational issues, etc. for specific industries and further more, their business processes.

    Most people stick to the NIST 800 series guides to security. Same goes for me.

    Tenable, makers of Nessus, also do PCI and other reg compliance reporting now in their security console product. Thus far, I'm pleased with the results.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •