Re: CISP Compliance
Identify the systems and networks that store or transmit cardholder
information. Isolate those behind state firewalls.
Label everything else as public networks. Now only the isolated
network(s) and serer(s) have to comply with PCI.
Once you have policies in place your systems and networks have to comply
with those policies. Of course Compensating controls can be used if
approved by your auditor and card processor.
We start our 4th year on this in less than a month where I work.
On Mon, Aug 20, 2007 at 08:31:02PM -0400, John Keimel wrote:
> On 8/20/07, Jonathan Wilson <email@example.com> wrote:
> > Sorry if this is the wrong place for this, but:
> > Does anyone know of a place I can get information on setting up CISP (VISA
> > credit card) compliant Debian systems - or Linux in general, if there's no
> > Debian-specific info. I've been searching the web for a couple hours and I
> > don't know if I'm searching for the wrong phrases or what, but I'm not
> > finding anything at all.
> > What I'm looking for is, essentially, what software needs to be installed to
> > make a system storing and processing CC info CISP compliant, and what
> > settings need to be configured to match.
> > I'm just sure there's folks out there who's secured Debian systems and
> > installed & configured the necessary software for logging, auditing,
> > monitoring, etc. I just can't find anything about it - maybe I'm blind today.
> CISP, or PCI, as I hear it referred to more often (as PCI covers more
> than just Visa), is pretty expensive and tough. There are some
> products out there that are built on linux that are portions of the
> PCI compliance checklists, but there isn't, AFAIK in recent research,
> a one stop shop for PCI compliant servers. As a matter of fact, for
> PCI level 1 compliance, you're looking at the preference of PCI to
> have many common services (DHCP, DNS, etc) on separate servers.
> The real pain in the ass with PCI and linux is the logging and
> accountability of access to those logs.
> Making your shopping cart PCI compliant is pretty easy, there are
> plenty of things that do THAT part, but for a whole system, rather
> network, of servers to be PCI compliant is rough.
> I know of a consultant that has some spare cycles to help someone gain
> compliance if you're interested. He just went through a lot of
> research, learning, investigation and meetings with some PCI level 1
> compliance stuff, so he's got it all on the top of his brain. If
> you're interested, email me off list. And really, it's not me, it is a
> friend and colleague. I'm not pushing the consultant cart around the
> village right now.
> If you're not at level one, few are, you can likely do a bunch of
> stuff without TOO much effort and expense, but it will mean a lot of
> work and thought on security. And it's a lot of pedantic stuff. Heck,
> even some of the stuff I see in actual banks is scary compared to what
> I've seen the Level 1 PCI people wanting. But that's another rant, eh?
> Good luck.
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org