Hello, Although I agree in principle and feel that it is reprehensible for a hosting party to offer services in full knowledge of these requirements (and I will exclude the small minority that are just innocently ignorant) one must remember that the PCI-DSS is a contractual agreement with the card issuer.
So although the standard calls for the hosting company to be complaint, it is not their breach if they fail this standard, but the breach of the merchant. The merchant is contractually required to ensure that any hosting/3rd party services are contractually bound as well to this standard. However, the 3rd party remains remote from the initiating contract and is not bound by its provisions. So the 3rd party is not required to be complaint, rather the merchant is required to ensure that their contract ensure that the hosting party is bound. These may be legal distinctions, but at the end of the day, this is where it hits the proverbial fan. Regards, Craig Craig Wright Manager of Information Systems Direct : +61 2 9286 5497 [EMAIL PROTECTED] +61 417 683 914 BDO Kendalls (NSW) Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001 Fax +61 2 9993 9497 www.bdo.com.au Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing [EMAIL PROTECTED] BDO Kendalls is a national association of separate partnerships and entities. ________________________________ From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Fri 24/08/2007 3:07 AM To: Subject: Re: PCI/DSS compliant Managed IDS I'd vote yes: "Appendix says: As referenced in Requirement 12.8, all service providers with access to cardholder data (including hosting providers) must adhere to the PCI DSS. 12.8: 12.8 If cardholder data is shared with service providers, then contractually the following is required: 12.8.1 Service providers must adhere to the PCI DSS requirements 12.8.2 Agreement that includes an acknowledgement that the service provider is responsible for the security of cardholder data the provider possesses." If the monitoring of the IDS provide access to cardholder or transaction data, they must also be compliant. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
