Re: CISP Compliance
On 8/20/07, Jonathan Wilson <email@example.com> wrote:
> Sorry if this is the wrong place for this, but:
> Does anyone know of a place I can get information on setting up CISP (VISA
> credit card) compliant Debian systems - or Linux in general, if there's no
> Debian-specific info. I've been searching the web for a couple hours and I
> don't know if I'm searching for the wrong phrases or what, but I'm not
> finding anything at all.
> What I'm looking for is, essentially, what software needs to be installed to
> make a system storing and processing CC info CISP compliant, and what
> settings need to be configured to match.
> I'm just sure there's folks out there who's secured Debian systems and
> installed & configured the necessary software for logging, auditing,
> monitoring, etc. I just can't find anything about it - maybe I'm blind today.
CISP, or PCI, as I hear it referred to more often (as PCI covers more
than just Visa), is pretty expensive and tough. There are some
products out there that are built on linux that are portions of the
PCI compliance checklists, but there isn't, AFAIK in recent research,
a one stop shop for PCI compliant servers. As a matter of fact, for
PCI level 1 compliance, you're looking at the preference of PCI to
have many common services (DHCP, DNS, etc) on separate servers.
The real pain in the ass with PCI and linux is the logging and
accountability of access to those logs.
Making your shopping cart PCI compliant is pretty easy, there are
plenty of things that do THAT part, but for a whole system, rather
network, of servers to be PCI compliant is rough.
I know of a consultant that has some spare cycles to help someone gain
compliance if you're interested. He just went through a lot of
research, learning, investigation and meetings with some PCI level 1
compliance stuff, so he's got it all on the top of his brain. If
you're interested, email me off list. And really, it's not me, it is a
friend and colleague. I'm not pushing the consultant cart around the
village right now.
If you're not at level one, few are, you can likely do a bunch of
stuff without TOO much effort and expense, but it will mean a lot of
work and thought on security. And it's a lot of pedantic stuff. Heck,
even some of the stuff I see in actual banks is scary compared to what
I've seen the Level 1 PCI people wanting. But that's another rant, eh?