Hari,
"except for organisations that process card data"
^^ This includes on-line shops accepting credit card payments.
card vendors:
"... *Payment Card Industry Security Standards Council*, an independent
council originally formed by American Express
<http://en.wikipedia.org/wiki/American_Express>, Discover Financial
Services <http://en.wikipedia.org/wiki/Discover_Card>, JCB
<http://en.wikipedia.org/wiki/Japan_Credit_Bureau>, MasterCard Worldwide
<http://en.wikipedia.org/wiki/MasterCard> and Visa International
<http://en.wikipedia.org/wiki/Visa_%28company%29> on Sept. 7, 2006..."
Also PayPal connects to credit cards (or bank accounts buy only in
certain countries).
As usual you have a bunch of associations, groups, projects,
organisations and standards. All of them have their own way to
contribute and provide information for someone who is looking for help.
Compare it with the W3C consortium, for some people it is a standard for
some people not. Even the IETF standards are not completely followed by
all vendors! Which one is likely to gain the _most_ respected influence
in the "international community" is unknown. To make it short, the
question is now, why would the PCI security standard gain this kind of
importance in the industry. I've found a pretty astonishing market
report about the e-commerce sector:
http://th.nielsen.com/site/documents/GlobalOnlineShoppingReportFeb08.pdf
"When The Nielsen Company conducted its first survey into online
shopping habits two years ago, only 10 percent of the world’s online
population (627 million) had made a purchase over the Internet. Within
two years, this number has surged by approximately 40 percent – to a
staggering 875 million."
This survey was "conducted from October to November 2007" (last page in
the report), _two_ years ago. I've got less reliable sources saying that
almost 85% of web users in the US shop online today and 99% in Korea.
Especially on the US market the usage of credit cards in on-line shops
is very common. Looking at the amount of users you can imagine how many
websites, respectively hosting provider have to be PCI compliant. That
would explain the influence and importance of the PCI security standard
in the WWW and the pressure on the various providers of online shopping
software and configuration panel providers to comply without further
adjustments.
I am sure the e-commerce sector would pick up very fast in Uganda as
well. E.g. I can imagine it would be a huge relief for the Ugandan music
industry to sell music on-line accepting credit card payments from the
international user base.
I hope this is more convincing ;)
Rocco
Hari Kurup wrote:
Rocco,
I am glad your mail server is now PCI compliant :-)
However as I mentioned earlier, I am not convinced that the PCI DSS are
a general security reference by the "international community" except for
organisations that process card data such as banks and card merchants.
And it does not mean that folks who for other reasons, have implemented
any of what PCI says is in compliance with them.
--
Hari
On 11/29/09 2:18 PM, IT-Doc24 Ltd. - Rocco Radisch wrote:-
Hari,
I forgot to comment about the other extract.
I might have misunderstood your comment about the IETF. It often happens
when talking about security matters that a 'head in the sand' mentality
shows up. “Is it a standard? Is it necessary? Does it influence my
set-up?” That is why I tried to explain the point of hiding version
information. After revising your comment, I can now see your issue about
the reference to the PCI recommendations.
It might not be of concern to Ugandan industry yet. Processing of
payment/credit card data in on-line applications is not common in Uganda
at the moment. But the international industry has picked up on the
matter and that not only because of the security issues but also because
of business logic.
They can sell and distinguish from other products by implementing the
PCI DSS recommendations into their applications or as a standard
configuration of their products. The value added service is that it is
easier for the end user to pass a compliance test without in depth
alteration of the configuration or application. That is a convincing
selling point. Even web hosting control panels such as Plesk, ISPConfig,
LxAdmin, cPanel, etc start to implement those recommendations into the
standard "server" settings or at least as optionals. Or open source
on-line shop software. Or if you look at the changes in a standard
configured php.ini file of different Linux Distributions over the years.
So even if it’s not an internet standard the PCI DSS recommendations
have gained importance in the industry. E.g. the redpepper.ug website is
not processing credit card information (I suppose), yet the http
server's version information is hidden in the http request header. That
is in accordance with the PCI recommendations even though it wouldn't be
necessary. That could be due to the provider's standard configuration
policy.
Best regards,
Rocco
Hari Kurup wrote:
Rocco,
My point was not about the merits or demerits of hiding version info,
but about the reference to "PCI" that you gave. If it is a commonly
referenced security standard, I must have been living under a rock
because I had never heard of it till today.
While we are at it, why does your own mail server disclose version info?
220-server.it-doc24.com ESMTP Exim 4.69
--
Hari
On 11/28/09 1:39 PM, IT-Doc24 Ltd. - Rocco Radisch wrote:-
That is right. Its not a internet standard but a commonly used security
standard. Not only for the payment card industry but also for
web/internet server/services security audits amongst some other security
"recommendations". E.g. in case the website would process credit card
information.
Whether its a must or not, a standard or a recommendation, just go by
logic. Do you want to hand out (disclose) the version information of a
running service? Indicating which vulnerabilities the service has?
Believing the banner, Postfix 2.3.3 was released in Aug/Oct 2006 .......
Hari Kurup wrote:
On 11/28/09 12:21 PM, IT-Doc24 Ltd. - Rocco Radisch wrote:-
(the version information should be cut out, called banner, its
against
PCI recommendation)
https://www.pcisecuritystandards.org/
right, so PCI stands for "Payment Card Industry"
They make standards that apply "to all organizations which hold,
process, or pass cardholder information from any card branded with the
logo of one of the card brands"
(ref:
http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard)
As they don't make internet standards (that is the work of the IETF), I
don't see why you would base on their recommendations unless you are
one
of the said organisations.
--
Hari
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them
(including attachments if any). The List's Host is not responsible for
them in any way.
---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them (including
attachments if any). The List's Host is not responsible for them in any
way.
---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them
(including attachments if any). The List's Host is not responsible for
them in any way.
---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them (including
attachments if any). The List's Host is not responsible for them in any
way.
---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them (including
attachments if any). The List's Host is not responsible for them in any way.
---------------------------------------
_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
The above comments and data are owned by whoever posted them (including
attachments if any). The List's Host is not responsible for them in any way.
---------------------------------------
