I had a phone conversation this week that is still somewhat bothering me. This once again has to do with PCI.
Earlier this week I had a phone conversation with a gentleman who is affiliated with a major credit card company. This gentleman requested that a particular IP address be deleted from his company profile because the device contained a vulnerability that currently affected PCI. He was asking me to delete the device because he would like to print out a complaint PCI report and this vulnerability was preventing him from accomplishing this task. My entire conversation had to do with myself trying to make the customer understand that he needs to be very careful determining the scope of devices for his PCI compliance. The customers response to this, is that he will need to consult with his IT department and that he is only the Chief Security Adviser for the company.
Now I know that it doesn't take an elite Security Professional to recognize that something is quite odd about this and that if anyone should be following PCI to a T, it should be the major credit card companys (or an affiliate) themselves.
After I tried to provide as much information as possible the issue quickly became that they do not have enough resources to mitigate the issue and would just like to remove the device from their profile and they will address it at a later time. I then proceeded to inform the customer that we do ask them to verify that they have checked that all devices that are contained within the scope of PCI compliance are added to be scanned, and they we ask to verify that the user is not swaying the vulnerability information in anyway what so ever.
This phone call ultimately ended up with me pointing to the customer details on how to remove the device. I tried with a final point of consultation to have the customer read th PCI 1.2 documentation to determine the scope of all devices, and I was informed that he knew the documentation front to back and that it is not a concern.
I would love to describe the moral of the story to everyone, but I think this is a no brainer so i will leave it at that.
4 weeks ago
Posts
0 comments:
Post a Comment