<div dir="ltr">Amos,<br><br>It seems that there is no reason for you to talk to a QSA. This is not a "psak halacha" but the card association rules are very clear on the Level 2-4 merchants doing self assessments as you can see for yourself on the Masterard web site. The only factor is the volume of card <b>transactions</b> that you do - not the PAN you store. <br>
<br>PII is a global/general term - which has variants in different countries/states but in general the definition of PII is very simple - any combination of personal information (name, id number, address, driver license) that would enable an attacker to steal the identity of a card holder. PCI DSS does not relate to PII - it only relates to the card number and the mag stripe. However - careful - most countries have privacy regulation regarding unauthorized leakage of PII. Again - not to be confused with PCI compliance.<br>
<br>In short <br>a) do your job right<br>b) stay away from QSA's - it's a racket....<br>c) don't keep unnecassary data in the database - that is the most effective security countermeasure of all<br>d) If you have resellers who send you account numbers, try to keep them out of your database - for example if you do an auth transaction or fraud check - discard the account number after the fraud check and don't update any fields in the db with the PAN. It's a PITA for the programmers but this is the true spirit of PCI.<br>
<br>Danny<br><br>A compensating control would be something like encrypting a payment card number where you had no other recourse. In your case <br><br><div class="gmail_quote">On Tue, Jul 14, 2009 at 3:11 PM, Amos Shapira <span dir="ltr"><<a href="mailto:amos.shapira@gmail.com">amos.shapira@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">2009/7/14 Danny Lieberman <<a href="mailto:dannyl@software.co.il">dannyl@software.co.il</a>>:<br>
<div class="im">> Amos<br>
><br>
> Let's separate the technical from the compliance side.<br>
><br>
> From a compliance perspective - if your company is not a Level 1 merchant -<br>
> i.e. you are processing less than 1 million cc transactions/year -<br>
> everything is based on a SAQ - self assessment questionnaire and you don't<br>
> need an external auditor.<br>
><br>
> Your compliance is what you say it is.<br>
<br>
</div>That's nice to be reminded about - so I can say about 11.4.b "No, and<br>
we don't need to"?<br>
<br>
We currently aim for SAQ, not only because we are not large enough yet<br>
but also because for now we managed to avoid holding PAN (Primary<br>
Account Number(?) - the actual credit card number).<br>
We do not process payments ourselves but provide anti-fraud services<br>
to customers which together could potentially reach levels which<br>
exceed SAQ, and which might choose to send us PAN's for assessment at<br>
some stage.<br>
<div class="im"><br>
><br>
> From a technical perspective - mod_security will do a good job if you keep<br>
> rules up to date vis-a-vis your own internal software vulnerabilities - but<br>
<br>
</div>So if we keep our own rules tight enough it's enough to comply to 11.4<br>
even without "keeping rules up to date" (is this what's called<br>
"Compensating Control" - "We don't comply to this requirement and we<br>
don't need to because it's not relevant to our situation or we do<br>
something else which compensates"?)<br>
<div class="im"><br>
> strictly speaking mod_security is not an IPS. If you want OSS - then you<br>
> want Snort and a subscription If you want hardware appliances - there are<br>
> a bunch on the market.<br>
<br>
</div>We don't rely on mod_security alone. We use also Aide and might<br>
install Snort, though I suspect we might reach traffic levels and DDoS<br>
risk levels which will require us to start renting our own F5 Big-IP<br>
Local Traffic Manager (LTM) with Application Security Manager (ASM)<br>
from our hosting provider before we'll get to that.<br>
<div class="im"><br>
><br>
> If you are a Level 1 merchant (like maybe you work for Hatzi Hinam...) you<br>
> will have to comply with a QSA - qualified security assessor - companies<br>
> like Comsec in Israel - may be picky about actually having a real IPS from<br>
> one of the appliance vendors.....<br>
<br>
</div>We are in contact with some local QSA (I'm in Australia, our servers<br>
are in the US) and they are so costly to talk to that we try to defer<br>
their full audit until after we completely cleared all the low hanging<br>
fruits that non-QSA's like us can clean and we feel that we really<br>
need their services.<br>
<div class="im"><br>
><br>
> Your best bet is not to store any PII at all.<br>
<br>
</div>I only learned about PII ("Personally Identifiable Information") in<br>
the last couple of weeks, this seems to be more of a European term (we<br>
started talks with a reseller in Europe then). We try to defer<br>
receiving of PAN for now but expect we won't be able to put it off<br>
forever.<br>
<br>
Thanks,<br>
<font color="#888888"><br>
--Amos<br>
</font></blockquote></div><br><br clear="all"><br>-- <br>Danny Lieberman<br>-------------------------------------------------------------------------------------------------<br>Protect your data: <a href="http://www.software.co.il">http://www.software.co.il</a><br>
Twitter: <a href="http://twitter.com/onlyjazz">http://twitter.com/onlyjazz</a><br>Skype: dannyl50<br>Warsaw:+48-79-609-5964<br>Israel: +972 8 9701485<br>Mobile: +972 - 54 447 1114<br>
</div>