On Thu, Dec 04, 2014 at 06:18:30AM PST, Mark McCullough spake thusly: > The rule that violates PCI: Requirement to lock or disable accounts after x > failed login attempts. That's a remotely executable, no authentication > required denial of service attack that is demonstrated over and over again. > Since it is a known vulnerability, it must be remediated, per PCI.
You would be referring to Requirement 8.1.6: Limit repeated access attempts by locking out the user ID after not more than six attempts. This isn't a violation of PCI as PCI isn't concerned with data availability. They would rather the data be unavailable or even destroyed than to have card data leak. This is very much as opposed to something like HIPAA where data availability is every bit as important as confidentiality. HIPAA beats the CIA (Confidentiality, Integrity, Availability) drum regularly whereas PCI only cares about Confidentiality. -- Tracy Reed
pgpI2ynnK1CxZ.pgp
Description: PGP signature
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
