mod_security "Got Root" rule updating service

mod_security "Got Root" rule updating service

Danny Lieberman dannyl at software.co.il
Tue Jul 14 22:23:17 IDT 2009 

Amos,

It seems that there is no reason for you to  talk to a QSA.  This is not a
"psak halacha" but the card association rules are very clear on the Level
2-4 merchants doing self assessments as you can see for yourself on the
Masterard web site. The only factor is the volume of card
*transactions*that you do - not the PAN you store.

PII is a global/general term - which has variants in different
countries/states but in general the definition of PII is very simple - any
combination of personal information (name, id number, address, driver
license) that would enable an attacker to steal the identity of a card
holder.  PCI DSS does not relate to PII - it only relates to the card number
and the mag stripe. However - careful - most countries have privacy
regulation regarding unauthorized leakage of PII. Again - not to be confused
with PCI compliance.

In short
a) do your job right
b) stay away from QSA's - it's a racket....
c) don't keep unnecassary data in the database - that is the most effective
security countermeasure of all
d) If you have resellers who send you account numbers, try to keep them out
of your database - for example if you do an auth transaction or fraud check
- discard the account number after the fraud check and don't update any
fields in the db with the PAN. It's a PITA for the programmers but this is
the true spirit of PCI.

Danny

A compensating control would be something like encrypting a payment card
number where you had no other recourse. In your case

On Tue, Jul 14, 2009 at 3:11 PM, Amos Shapira <amos.shapira at gmail.com>wrote:

> 2009/7/14 Danny Lieberman <dannyl at software.co.il>:
> > Amos
> >
> > Let's separate the technical from the compliance side.
> >
> > From a compliance perspective - if your company is not a Level 1 merchant
> -
> > i.e. you are processing less than 1 million cc transactions/year -
> > everything is based on a SAQ - self assessment questionnaire and you
> don't
> > need an external auditor.
> >
> > Your compliance is what you say it is.
>
> That's nice to be reminded about - so I can say about 11.4.b "No, and
> we don't need to"?
>
> We currently aim for SAQ, not only because we are not large enough yet
> but also because for now we managed to avoid holding PAN (Primary
> Account Number(?) - the actual credit card number).
> We do not process payments ourselves but provide anti-fraud services
> to customers which together could potentially reach levels which
> exceed SAQ, and which might choose to send us PAN's for assessment at
> some stage.
>
> >
> > From a technical perspective - mod_security will do a good job if you
> keep
> > rules up to date vis-a-vis your own internal software vulnerabilities -
> but
>
> So if we keep our own rules tight enough it's enough to comply to 11.4
> even without "keeping rules up to date" (is this what's called
> "Compensating Control" - "We don't comply to this requirement and we
> don't need to because it's not relevant to our situation or we do
> something else which compensates"?)
>
> > strictly speaking mod_security is not an IPS. If you want OSS - then you
> > want Snort and a subscription   If you want hardware appliances - there
> are
> > a bunch on the market.
>
> We don't rely on mod_security alone. We use also Aide and might
> install Snort, though I suspect we might reach traffic levels and DDoS
> risk levels which will require us to start renting our own F5 Big-IP
> Local Traffic Manager (LTM) with Application Security Manager (ASM)
> from our hosting provider before we'll get to that.
>
> >
> > If you are a Level 1 merchant (like maybe you work for Hatzi Hinam...)
> you
> > will have to comply with a QSA - qualified security assessor - companies
> > like Comsec in Israel - may be picky about actually having a real IPS
> from
> > one of the appliance vendors.....
>
> We are in contact with some local QSA (I'm in Australia, our servers
> are in the US) and they are so costly to talk to that we try to defer
> their full audit until after we completely cleared all the low hanging
> fruits that non-QSA's like us can clean and we feel that we really
> need their services.
>
> >
> > Your best bet is not to store any PII at all.
>
> I only learned about PII ("Personally Identifiable Information") in
> the last couple of weeks, this seems to be more of a European term (we
> started talks with a reseller in Europe then). We try to defer
> receiving of PAN for now but expect we won't be able to put it off
> forever.
>
> Thanks,
>
> --Amos
>



-- 
Danny Lieberman
-------------------------------------------------------------------------------------------------
Protect your data: http://www.software.co.il
Twitter:  http://twitter.com/onlyjazz
Skype:  dannyl50
Warsaw:+48-79-609-5964
Israel:   +972 8 9701485
Mobile: +972 - 54 447 1114
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20090714/572289f9/attachment.html>

More information about the Linux-il mailing list