I note that PCI DSS poses a problem for IPv6, in that section 1.3.8
(my copy is dated October 2010) mandates that private IP addresses
(they clearly mean RFC1918) are not revealed to or routable from the
internet (my paraphrasing).
Given that most systems which are required to be PCI-DSS compliant
Hi,
Paul wrote:
> I note that PCI DSS poses a problem for IPv6, in that section 1.3.8
> (my copy is dated October 2010) mandates that private IP addresses
> (they clearly mean RFC1918) are not revealed to or routable from the
> internet (my paraphrasing).
Are RFC 4193 addresses not substitutable
On 31/01/12 15:35, Leo Vegoda wrote:
I note that PCI DSS poses a problem for IPv6, in that section 1.3.8
(my copy is dated October 2010) mandates that private IP addresses
(they clearly mean RFC1918) are not revealed to or routable from the
internet (my paraphrasing).
Are RFC 4193 addresses not
On Tue, 2012-01-31 at 21:02 +, Tom Hill wrote:
> On 31/01/12 15:35, Leo Vegoda wrote:
> >> I note that PCI DSS poses a problem for IPv6, in that section 1.3.8
> >> (my copy is dated October 2010) mandates that private IP addresses
> >> (they clearly mean RFC1918) are not revealed to or routable
On 31 Jan 2012, at 22:34, Gavin Hamill wrote:
> PCI-DSS gets a lot of bad press (mainly for the genius of the card
> industry for being able to shift the risk to every merchant on the
> planet) but is generally founded in common sense. The problem tends to
> be with auditors who have a long list
They set a framework - which isn't bad at all. It's interpretation of that
framework that is the problem.
Sent from my iPhone
On 31 Jan 2012, at 22:38, "Gavin Hamill" wrote:
> On Tue, 2012-01-31 at 21:02 +, Tom Hill wrote:
>> On 31/01/12 15:35, Leo Vegoda wrote:
I note that PCI DSS p
On Tue, 2012-01-31 at 22:45 +, Thomas Mangin wrote:
> Furthermore auditors make more money by failing you than trying to
> understand what you have really done to secure the devices in scope.
> Finding a good auditor is the most important step in any PCI/DSS
> undertaking.
>From my own experi
"management" if only they didn't exist and we could get rid of all the
customers!
I've deployed PCI accreditation (and many other more painful frameworks) on
several occasions, no failure was needed. this isn't about the piece of paper,
it's about ensuring that you manage risk effectively.
Se
