On Thu, Mar 26, 2009 at 02:28:21AM -0400, Zephaniah E. Hull wrote: > On Wed, Mar 25, 2009 at 01:15:02PM +0000, Mark Brown wrote:
> > This is also an issue in some other industries for things like the PCI > > DSS (http://en.wikipedia.org/wiki/PCI_DSS), FWIW. > Taken with a grain of salt, but I can't recall any part of the PCI > DSS which Debian doesn't comply with at least as well as Redhat does. The issue is not if we comply, it's if we've got certification saying that we comply - the people who care about this stuff need to have the certification. > Which is to say, on the server or desktop side PCI does not require > certification or independent evalutaion of the OS or applications, just > that given practices be followed. (Some of them are a bit, odd, or > downright insane, but.) > Now, the issues with stuff embedded into credit card terminals or ATMs > gets a lot nastier. Most of that goes into the hardware side, but I > have not had to go through a PCI audit on those, so I'm not sure what > all is involved. My understanding is that it's an issue on the server side as well if you're pushing the interesting data through there. I also understand that some of it is things like verifying that relevant security updates have been applied which is a best practice sort of thing but is something that people can do in a canned way with some OS knowledge. -- To UNSUBSCRIBE, email to debian-vote-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
