PCI DSS Requirements

techfiendtechfiend Member Posts: 1,481 ■■■■□□□□□□
After research has led mixed results I could use more info on PCI DSS compliance.

1, Does Linux require full AV software? Regular rootkit scans?
2. If code is based on EoL PHP libraries does it need to be updated, thus breaking compatibility?
2018 AWS Solutions Architect - Associate (Apr) 2017 VCAP6-DCV Deploy (Oct) 2016 Storage+ (Jan)
2015 Start WGU (Feb) Net+ (Feb) Sec+ (Mar) Project+ (Apr) Other WGU (Jun) CCENT (Jul) CCNA (Aug) CCNA Security (Aug) MCP 2012 (Sep) MCSA 2012 (Oct) Linux+ (Nov) Capstone/BS (Nov) VCP6-DCV (Dec) ITILF (Dec)

Comments

  • TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    Incidentally I was doing some reading on this too. From what I've gathered vulnerability scanning software out there will fail you for PCI compliance if things like that are not resolved. However you can submit exception forms which detail other compensating or complimentary controls that will make the findings get a pass.
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    I believe it is yes on both. But that would be a perfect compliance, but almost nobody is perfect.
  • McxRisleyMcxRisley Member Posts: 494 ■■■■■□□□□□
    As someone who works in compliance, the answer is yes to the first question. The second one would require justification for having an open finding and as long as whoever is reviewing the findings agrees with the justification, it is allowed. You will also need a plan on how to deal with fixing the open finding and set a date for the issue to be fixed. This is what we call a POA&M (Plan of action and milestones)
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • techfiendtechfiend Member Posts: 1,481 ■■■■□□□□□□
    The reason for the confusion on AV is the requirements state "PCI DSS requires anti-virus to be installed on all systems that are commonly affected by malware." Which leads me to believe it refers to Windows specifically.

    Is AV required on Linux or just rootkit scans? If AV, does it need to have real time protection?

    It looks like PHP 7.1 compatibility is going to the top of the list. Thanks for that information.
    2018 AWS Solutions Architect - Associate (Apr) 2017 VCAP6-DCV Deploy (Oct) 2016 Storage+ (Jan)
    2015 Start WGU (Feb) Net+ (Feb) Sec+ (Mar) Project+ (Apr) Other WGU (Jun) CCENT (Jul) CCNA (Aug) CCNA Security (Aug) MCP 2012 (Sep) MCSA 2012 (Oct) Linux+ (Nov) Capstone/BS (Nov) VCP6-DCV (Dec) ITILF (Dec)
  • techfiendtechfiend Member Posts: 1,481 ■■■■□□□□□□
    Regarding restricting physical access what would auditors see as sufficient?

    Key locked door and rack good enough or are they looking for typical datacenter security with man traps, security guards, biometric scans, etc.?
    2018 AWS Solutions Architect - Associate (Apr) 2017 VCAP6-DCV Deploy (Oct) 2016 Storage+ (Jan)
    2015 Start WGU (Feb) Net+ (Feb) Sec+ (Mar) Project+ (Apr) Other WGU (Jun) CCENT (Jul) CCNA (Aug) CCNA Security (Aug) MCP 2012 (Sep) MCSA 2012 (Oct) Linux+ (Nov) Capstone/BS (Nov) VCP6-DCV (Dec) ITILF (Dec)
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    techfiend wrote: »
    The reason for the confusion on AV is the requirements state "PCI DSS requires anti-virus to be installed on all systems that are commonly affected by malware." Which leads me to believe it refers to Windows specifically.
    To me that would include Linux/UNIX/MAC...but might exclude embedded type of operating systems. To be honest, if you don't have anti-virus on your non-windows systems, even if not regulated, that is being irresponsible.
    Regarding restricting physical access what would auditors see as sufficient?

    Key locked door and rack good enough or are they looking for typical datacenter security with man traps, security guards, biometric scans, etc.?
    Typical would be at least a badge proximity scanner...if you are of decent size and using a key lock, I would resolve that pretty quick. Think about if there is turnover with key holders and locks don't get changed, or if you have a weak lock...not the best security. It's all a risk management calculation how much further to go...if the data gets compromised and you lose $10,000...are you really gonna spend $50,000 on a security guard? Probably not.

    A receptionist could double as somewhat of a "security guard" in the sense that they are monitoring access in and out. Biometrics aren't very common except in high security areas...and still don't seem to be widely accepted by would be users.
  • McxRisleyMcxRisley Member Posts: 494 ■■■■■□□□□□
    Have you been officially trained in PCI DSS by their organization? This may help you out in this aspect. I noticed their documents refer to "heavy research" and using CIS to help with issues. This to me seems extremely lazy on their part, where as in my line of work we would just refer to the STIG and those are so cut and dry that a brain dead monkey could secure a system with them.
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • techfiendtechfiend Member Posts: 1,481 ■■■■□□□□□□
    The lack of detail in the official standard should really hurt it's reputation. Clearly some of it is auditor discretion.
    2018 AWS Solutions Architect - Associate (Apr) 2017 VCAP6-DCV Deploy (Oct) 2016 Storage+ (Jan)
    2015 Start WGU (Feb) Net+ (Feb) Sec+ (Mar) Project+ (Apr) Other WGU (Jun) CCENT (Jul) CCNA (Aug) CCNA Security (Aug) MCP 2012 (Sep) MCSA 2012 (Oct) Linux+ (Nov) Capstone/BS (Nov) VCP6-DCV (Dec) ITILF (Dec)
  • jcundiffjcundiff Member Posts: 486 ■■■■□□□□□□
    techfiend wrote: »
    The lack of detail in the official standard should really hurt it's reputation. Clearly some of it is auditor discretion.

    considering 85-90% of the standard is common sense / basic security hygiene, I doubt it...
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
Sign In or Register to comment.