Amos, It seems that there is no reason for you to talk to a QSA. This is not a "psak halacha" but the card association rules are very clear on the Level 2-4 merchants doing self assessments as you can see for yourself on the Masterard web site. The only factor is the volume of card *transactions*that you do - not the PAN you store.
PII is a global/general term - which has variants in different countries/states but in general the definition of PII is very simple - any combination of personal information (name, id number, address, driver license) that would enable an attacker to steal the identity of a card holder. PCI DSS does not relate to PII - it only relates to the card number and the mag stripe. However - careful - most countries have privacy regulation regarding unauthorized leakage of PII. Again - not to be confused with PCI compliance. In short a) do your job right b) stay away from QSA's - it's a racket.... c) don't keep unnecassary data in the database - that is the most effective security countermeasure of all d) If you have resellers who send you account numbers, try to keep them out of your database - for example if you do an auth transaction or fraud check - discard the account number after the fraud check and don't update any fields in the db with the PAN. It's a PITA for the programmers but this is the true spirit of PCI. Danny A compensating control would be something like encrypting a payment card number where you had no other recourse. In your case On Tue, Jul 14, 2009 at 3:11 PM, Amos Shapira <[email protected]>wrote: > 2009/7/14 Danny Lieberman <[email protected]>: > > Amos > > > > Let's separate the technical from the compliance side. > > > > From a compliance perspective - if your company is not a Level 1 merchant > - > > i.e. you are processing less than 1 million cc transactions/year - > > everything is based on a SAQ - self assessment questionnaire and you > don't > > need an external auditor. > > > > Your compliance is what you say it is. > > That's nice to be reminded about - so I can say about 11.4.b "No, and > we don't need to"? > > We currently aim for SAQ, not only because we are not large enough yet > but also because for now we managed to avoid holding PAN (Primary > Account Number(?) - the actual credit card number). > We do not process payments ourselves but provide anti-fraud services > to customers which together could potentially reach levels which > exceed SAQ, and which might choose to send us PAN's for assessment at > some stage. > > > > > From a technical perspective - mod_security will do a good job if you > keep > > rules up to date vis-a-vis your own internal software vulnerabilities - > but > > So if we keep our own rules tight enough it's enough to comply to 11.4 > even without "keeping rules up to date" (is this what's called > "Compensating Control" - "We don't comply to this requirement and we > don't need to because it's not relevant to our situation or we do > something else which compensates"?) > > > strictly speaking mod_security is not an IPS. If you want OSS - then you > > want Snort and a subscription If you want hardware appliances - there > are > > a bunch on the market. > > We don't rely on mod_security alone. We use also Aide and might > install Snort, though I suspect we might reach traffic levels and DDoS > risk levels which will require us to start renting our own F5 Big-IP > Local Traffic Manager (LTM) with Application Security Manager (ASM) > from our hosting provider before we'll get to that. > > > > > If you are a Level 1 merchant (like maybe you work for Hatzi Hinam...) > you > > will have to comply with a QSA - qualified security assessor - companies > > like Comsec in Israel - may be picky about actually having a real IPS > from > > one of the appliance vendors..... > > We are in contact with some local QSA (I'm in Australia, our servers > are in the US) and they are so costly to talk to that we try to defer > their full audit until after we completely cleared all the low hanging > fruits that non-QSA's like us can clean and we feel that we really > need their services. > > > > > Your best bet is not to store any PII at all. > > I only learned about PII ("Personally Identifiable Information") in > the last couple of weeks, this seems to be more of a European term (we > started talks with a reseller in Europe then). We try to defer > receiving of PAN for now but expect we won't be able to put it off > forever. > > Thanks, > > --Amos > -- Danny Lieberman ------------------------------------------------------------------------------------------------- Protect your data: http://www.software.co.il Twitter: http://twitter.com/onlyjazz Skype: dannyl50 Warsaw:+48-79-609-5964 Israel: +972 8 9701485 Mobile: +972 - 54 447 1114
_______________________________________________ Linux-il mailing list [email protected] http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
