Actually, I agree with Craig but don't think he goes quite far enough. There is due diligence that a company should (needs to?) do as part of meeting their contractual obligation under PCI/DSS. With a MIDS vendor, who keeps the alert logs is a basic question. In my case we decided that the vendor must meet the log keeping requirement but that we would get a copy of the archive each month and maintain our own copies of the alert logs.
It is important to remember that one of the key reasons PCI/DSS exists is to transfer risk/liability from the issuers to the merchants. This is not to denigrate the fact that PCI/DSS can lead to improved security practices. Mike -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Wright Sent: Thursday, August 23, 2007 3:52 PM To: [EMAIL PROTECTED]; [email protected] Subject: RE: PCI/DSS compliant Managed IDS Hello, PCI is a contractual arrangement. It is not legistlative. So the answer is a resonding maybe. OR and it depends. If the Managed IDS [MIDS] supplier is specifically stating that they are offering PCI-DSS services, than they would have to meet the requirements in either case or it is a trade practices/unfair dealings/false statement issue. This is either a civil tort or criminal offense. The onus is for the merchant or issuer using the MIDS to ensure that they have a contract stating this. Section 12.8 states: 12.8 If cardholder data is shared with service providers, then contractually the following is required: 12.8.1 Service providers must adhere to the PCI DSS requirements 12.8.2 Agreement that includes an acknowledgement that the service provider is responsible for the security of cardholder data the provider possesses. This is a contractual arrangement. You also need to read Requirement A.1: Hosting providers protect cardholder data environment If the merchant etc did not contract to have the provider be PCI-DSS compliant and the provider did not explicitly state that they are, then the merchant is in breach of the PCI-DSS - and NOT the MIDS provider. Regards, Craig Craig Wright Manager of Information Systems Direct : +61 2 9286 5497 [EMAIL PROTECTED] +61 417 683 914 BDO Kendalls (NSW) Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001 Fax +61 2 9993 9497 www.bdo.com.au Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing [EMAIL PROTECTED] BDO Kendalls is a national association of separate partnerships and entities. ________________________________ From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Fri 24/08/2007 1:37 AM To: [email protected] Subject: PCI/DSS compliant Managed IDS Would Managed Security Company providing a Managed IDS service for a company with Tier 1 PCI/DSS compliance have to be PCI/DSS compiaant itself? Does anyone have an opinion or experience with this? regards Marino ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig n=intro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig n=intro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
