nCircle.com >> 360 Security >> The Lens

« Is Brand Damage a Myth? | Main | Bad Habits or Good Marketing »

PCI Confusion: What is Compliant?

As you may have noted, nCircle recently introduced our Certified PCI Scan Service, which means that we achieved certification as an Approved Scanning Vendor from the PCI Security Standards Council.

One of the requirements of PCI is that we score vulnerabilities according to their standards. You can read about them in detail here, but the gist is this table from the Technical and Operational Requirements for ASVs:

old_PCI_vuln_scores.jpg

Anything scoring a 3 or greater constitutes a non-compliant system and therefore a non-compliant customer. As of June 30, 2007, PCI is changing the scoring criteria to use CVSS instead of their ranking system, as noted in the same Technical and Operational Requirements for ASVs. The use of an external standard is an improvement, but I'm confused about one particular note in the requirements (pg 4-11):

new_pci_score.jpg

Does anyone else read that last bullet point as saying that Denial of Service conditions will no longer constitute a non-compliant system? In the current ranking system, DoS falls clearly into category 3, which is non-compliant. Is PCI following OpenBSD or vice versa?

Posted by Tim Erlin on March 23, 2007 1:16 PM |

TrackBack

TrackBack URL for this entry:
http://blog.ncircle.com/cgi-bin/mt-tb.cgi/187

Comments (3)

X:

PCI is to protect the assets of the credit card company, not the implementing vendor.

Posted by X | March 23, 2007 2:46 PM

Posted on March 23, 2007 14:46

Tim Erlin:

Is that Mr. X, Dr. X, or perhaps just plain X (a la Madonna or Prince).

In either case, I take it your point is that a DoS condition puts only the vendor at risk, rather than the card provider, and as such, isn't really of interest to PCI.

That does make a lot of sense, but it doesn't explain why the categorization of DoS conditions would change.

Posted by Tim Erlin | March 24, 2007 5:13 AM

Posted on March 24, 2007 05:13

Security Consultant:

I read that the same way as you, Tim. As of the update at the end of June, DOS vulnerabilities will not be considered a fail. The intent of PCI is to protect card holder data, and to attempt to prevent possible exposures. With that focus, availability is not a concern of PCI. This is only one of many reasons that we explain to our customers that compliance does not equal security.

In regards to your question about the conflict of the severity rating vs. DOS not being considered - I believe the June 30 info is considered an addendum. The serverity table has not been updated with the new information - it was actually taken word from word from the old MasterCard SDP program.

Posted by Security Consultant | April 24, 2007 8:51 AM

Posted on April 24, 2007 08:51

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on March 23, 2007 1:16 PM.

The previous post in this blog was Is Brand Damage a Myth?.

The next post in this blog is Bad Habits or Good Marketing.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Powered by
Movable Type 3.33