Re: Question for DPL Candidates: Debian $$$
On Thu, Mar 26, 2009 at 02:28:21AM -0400, Zephaniah E. Hull wrote:
> On Wed, Mar 25, 2009 at 01:15:02PM +0000, Mark Brown wrote:
> > This is also an issue in some other industries for things like the PCI
> > DSS (http://en.wikipedia.org/wiki/PCI_DSS), FWIW.
> Taken with a grain of salt, but I can't recall any part of the PCI
> DSS which Debian doesn't comply with at least as well as Redhat does.
The issue is not if we comply, it's if we've got certification saying
that we comply - the people who care about this stuff need to have the
> Which is to say, on the server or desktop side PCI does not require
> certification or independent evalutaion of the OS or applications, just
> that given practices be followed. (Some of them are a bit, odd, or
> downright insane, but.)
> Now, the issues with stuff embedded into credit card terminals or ATMs
> gets a lot nastier. Most of that goes into the hardware side, but I
> have not had to go through a PCI audit on those, so I'm not sure what
> all is involved.
My understanding is that it's an issue on the server side as well if
you're pushing the interesting data through there. I also understand
that some of it is things like verifying that relevant security updates
have been applied which is a best practice sort of thing but is
something that people can do in a canned way with some OS knowledge.