[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] PCI Compliance anyone?

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] PCI Compliance anyone?
From: kevin <kevin.lucas@xxxxxxxxxxxxxxxxxx>
Date: Thu, 18 Mar 2010 15:47:45 +0000
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx

You should have a Modem type Card reader....

        They want me to show we are "PCI" Compliant before removing the "Non
Compliance Fines" from my bill???

How safe is a Modem calling their server? not my problem it's their kit
I rent so why the Fines?

and Don't ask about "Customer Not Present"!!


On Thu, 2010-03-18 at 11:30 +0000, Gordon Henderson wrote:
> Any webby hostys here put their sites through this whole PCI testing 
> thing?
> 
> My of my clients just did without mentioning it to me, then are jumping up 
> and down because it unsurprisingly failed...
> 
> However, while I can push all the buttons to make the testing house happy 
> (well most of them - they're whinging about some "possible" SQL injections 
> that the client's own code is responsible for), I feel that they're 
> missing a few vital things - the site is on a shared server and although 
> it has it's own IP address (ssl site), there are dozens of other sites 
> there too - so having an open FTP server scores 3 points - sure, I could 
> block it for their own IP address, but it still leaves it open on the 
> 'base' server and all other sites.
> 
> Same for other trivial things like POP and so on.
> 
> One annoying thing it failed on was not having a virus checker - they sent 
> EICARs to postmaster@it and expected it to fail - well, it won't as it 
> doesn't have a virus checker, it's a Linux host (which they correctly 
> identified!)
> 
> And interestingly, reading the documentation the client sent me, it seems 
> that they (the testing house) wanted me to remove all firewalling and 
> allow full access from the testing houses IP range before they started the 
> test!)
> 
> So it seems to me that this whole PCI testing thing is really a pile of 
> junk, and people are paying good money for a 'scan' which really isn't 
> showing anything significant at all... Or even if it pases, then the 
> server itself is still not "secure" as it's hosting other sites, etc.
> 
> So where can I sign up to be a PCI testing house???
> 
> Gordon
> 
Regards

Kevin Lucas
Minions Post Master(Sub) 
Po House, Minions,
Liskeard Cornwall 
PL14 5LE
01579363386


-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html

References:
- [LUG] PCI Compliance anyone?
  - From: Gordon Henderson

Prev by Date: Re: [LUG] Thunderbird 3
Next by Date: Re: [LUG] Debian Squeeze with grub2. Problem upgrading linux-kernel
Previous by thread: Re: [LUG] PCI Compliance anyone?
Next by thread: [LUG] Marcus Windle wants to stay in touch on LinkedIn
Index(es):
- Date
- Thread