PCI DSS Requirements

techfiend

After research has led mixed results I could use more info on PCI DSS compliance.

1, Does Linux require full AV software? Regular rootkit scans?
2. If code is based on EoL PHP libraries does it need to be updated, thus breaking compatibility?

TheFORCE

Incidentally I was doing some reading on this too. From what I've gathered vulnerability scanning software out there will fail you for PCI compliance if things like that are not resolved. However you can submit exception forms which detail other compensating or complimentary controls that will make the findings get a pass.

gespenstern

I believe it is yes on both. But that would be a perfect compliance, but almost nobody is perfect.

McxRisley

As someone who works in compliance, the answer is yes to the first question. The second one would require justification for having an open finding and as long as whoever is reviewing the findings agrees with the justification, it is allowed. You will also need a plan on how to deal with fixing the open finding and set a date for the issue to be fixed. This is what we call a POA&M (Plan of action and milestones)

techfiend

The reason for the confusion on AV is the requirements state "PCI DSS requires anti-virus to be installed on all systems that are commonly affected by malware." Which leads me to believe it refers to Windows specifically.

Is AV required on Linux or just rootkit scans? If AV, does it need to have real time protection?

It looks like PHP 7.1 compatibility is going to the top of the list. Thanks for that information.

techfiend

Regarding restricting physical access what would auditors see as sufficient?

Key locked door and rack good enough or are they looking for typical datacenter security with man traps, security guards, biometric scans, etc.?

TechGuru80

techfiend wrote: »

The reason for the confusion on AV is the requirements state "PCI DSS requires anti-virus to be installed on all systems that are commonly affected by malware." Which leads me to believe it refers to Windows specifically.

To me that would include Linux/UNIX/MAC...but might exclude embedded type of operating systems. To be honest, if you don't have anti-virus on your non-windows systems, even if not regulated, that is being irresponsible.

Regarding restricting physical access what would auditors see as sufficient?

Key locked door and rack good enough or are they looking for typical datacenter security with man traps, security guards, biometric scans, etc.?

Typical would be at least a badge proximity scanner...if you are of decent size and using a key lock, I would resolve that pretty quick. Think about if there is turnover with key holders and locks don't get changed, or if you have a weak lock...not the best security. It's all a risk management calculation how much further to go...if the data gets compromised and you lose $10,000...are you really gonna spend $50,000 on a security guard? Probably not.

A receptionist could double as somewhat of a "security guard" in the sense that they are monitoring access in and out. Biometrics aren't very common except in high security areas...and still don't seem to be widely accepted by would be users.

McxRisley

Have you been officially trained in PCI DSS by their organization? This may help you out in this aspect. I noticed their documents refer to "heavy research" and using CIS to help with issues. This to me seems extremely lazy on their part, where as in my line of work we would just refer to the STIG and those are so cut and dry that a brain dead monkey could secure a system with them.

techfiend

The lack of detail in the official standard should really hurt it's reputation. Clearly some of it is auditor discretion.

jcundiff

techfiend wrote: »

The lack of detail in the official standard should really hurt it's reputation. Clearly some of it is auditor discretion.

considering 85-90% of the standard is common sense / basic security hygiene, I doubt it...