Current time: 04-23-2014, 08:53 PM Hello There, Guest! (LoginRegister)

PCI DSS Compliance
03-16-2011, 09:39 AM
Post: #4
RE: PCI DSS Compliance
(10-04-2010 10:19 AM)resilien7 Wrote:  What exactly does this have to do with PCI DSS compliance?

Although I don't know the specifics of the issue in question, it is my understanding that one of the requirements of the PCI DSS is to make sure that all applications in the Cardholder Data Environment (CDE) are patched with the most current patches. (I am assuming that the PHP installation in question is actually part of the CDE and in scope -- if it is not in scope, then there is less to worry about)

The presumption is that patches are exactly that -- patches against security issues and so forth. Unpatched software anywhere in your CDE means that a malicious attacker can attempt to compromise that part of your infrastructure, using a known exploit.

Unpatched software (and I'm pretty sure your PHP would count) accounts for a lot of exploits. It can be... troublesome.

That said, however, the DH reply above is... er, less than responsible regarding the potential security issues of unpatched software.

For a situation as described above, what makes sense is to basically write up a Compensating Control. If your bank or acquirer is okay with that, then Bob's your uncle.

If revision 5.2.9 only offers cosmetic and not security improvements over 5.2.6 (you have to know this -- you can't just assume or guess, which is why I think DH's response was a little less than responsible), then that information would be a part of the compensating control.

It is entirely possible a bank or acquirer would accept a compensating control.

To understand more about compensating controls, writing them, and how they can be applied toward compliance with the PCI DSS, here are a couple of useful links:

https://www.infosecisland.com/blogview/8...ntrol.html

http://www.csoonline.com/article/577363/...ng-control

To understand more about the PCI DSS, what it means, and how compliance with it can help you, here's another link:

https://www.pcisecuritystandards.org/

I admit, it's not the most RIVETING reading in the world, but if you're running an e-commerce site, it's VERY good to know the twelve basic requirements of the PCI DSS -- they represent the application of smart and responsible thinking toward e-commerce and other online transactions of sensitive data.
Find all posts by this user


Messages In This Thread
PCI DSS Compliance - webfeathers - 06-15-2009, 03:42 PM
PCI DSS Compliance - sXi - 06-15-2009, 08:02 PM
RE: PCI DSS Compliance - resilien7 - 10-04-2010, 10:19 AM
RE: PCI DSS Compliance - EdwardMartinIII - 03-16-2011 09:39 AM

Forum Jump: