[Owasp-Mumbai] PCI DSS and IT Security

Dinesh O'Bareja dinesh.lists at gmail.com
Mon May 31 02:34:30 EDT 2010


My understanding is.. even if you do not store the data but are an
outsourced provider and have access to the data store at the PCI entity
(bank / acquirer etc) be prepared to be asked to become PCI compliant. Any
organization which is under PCI purview will ensure that their vendors / out
source service providers are compliant.
So, i shall concur with Vaibhav's statement.

You will be surprised to see how far "downstream' the PCI complaint company
will go in order to ensure that their own house is in order. The logic is
simple - if your client asks u to ensure compliance it is no sweat off their
back since you have to spend  your own money. And they are able to ensure
that all roads leading into and out of their organization are reasonably
secured.




On Mon, May 31, 2010 at 11:18 AM, vaibhav aher <vaibhavaher at gmail.com>wrote:

> >>>For the entities that deal with the transaction information about retail
> & commercial >>>banking and *NOT* store any cardholder data, PCI-DSS is *
> NOT* applicable.
>
> ^^NOT TRUE, transaction and storage always come in to scope, and PCI DSS is
> applicable.
>
> Regards
> Vaibhav Aher
>
>
> On Fri, May 28, 2010 at 10:51 PM, Bhaven T. Haria <
> bhaven.haria at paladion.net> wrote:
>
>>
>> Hi Purohit,
>>
>>
>>
>> Shall try to answer some parts of your question:
>>
>> > PCI-DSS is applicable to the entities storing, processing or
>> transmitting payment cardholder data. *(Master, VISA, AMEX, Discover,
>> JCB)*
>>
>> > For the entities that deal with the transaction information about retail
>> & commercial banking and *NOT* store any cardholder data, PCI-DSS is *NOT
>> * applicable.
>>
>> > For implementation of PCI-DSS, it’s better to start with scoping the
>> cardholder environment, so that the investments & implementation efforts can
>> be confined.
>>
>> > After scoping, a GAP assessment is carried out against the standard to
>> determine the implementation action items.
>>
>> > PCI-DSS implementation is then carried out, followed by the validation –
>> which can be a QSA audit or SAQ (Self-assessment Questionnaire) filling.
>>
>> > Periodicity of vulnerability scanning, application security testing,
>> penetration testing, wireless scanning, etc. has been defined in the
>> standard. For the entities that want to implement or sustain the compliance,
>> this periodicity needs to be demonstrated.
>>
>>
>>
>> Obvious Reference J: PCI-DSS Standard<https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html>
>>
>>
>>
>> Have got some interesting reads on PCI-DSS. Do let me if you want me to
>> pass-on.
>>
>>
>>
>> Cheers,
>>
>> Bhaven
>> http://in.linkedin.com/in/bhavenharia
>>
>> On 28 May 2010 17:51, purohit singh <purohitsingh2 at gmail.com> wrote:
>>
>>> Dear All,
>>>
>>> This is with reference to PCI DSS. Is the PCI DSS policy only restricted
>>> to applications, systems and environments where debit card or credit cards
>>> are used for transactions ?  How about transactions involving internet
>>> banking for retail users and corporate banking for corporates where no
>>> credit card or debit card details are used. Also how PCI DSS policy is
>>> technically implemented. Financial and banking organizations dont implement
>>> the PCI DSS policy in the first step. There is lot of opposition,
>>> red-tapism to change. The Application penetration testing is executed in one
>>> phase, the network pen-test is done at a later stage, the web server V.A ,
>>> database audit is done randomly. So how the PCI DSS policy is executed and
>>> integrated. Please clarify.
>>>
>>> With regards,
>>> Purohit Singh
>>>
>>> _______________________________________________
>>> OWASP-Mumbai mailing list
>>>
>>> OWASP-Mumbai at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Mumbai mailing list
>> OWASP-Mumbai at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>
>>
>
>
>
>
>
>
> _______________________________________________
> OWASP-Mumbai mailing list
> OWASP-Mumbai at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-mumbai/attachments/20100531/d52e5d13/attachment-0001.html 


More information about the OWASP-Mumbai mailing list