On Fri, Mar 17, 2017, Laura Atkins wrote: > > On Mar 17, 2017, at 7:47 AM, John R Levine <[1]jo...@taugh.com> wrote: > > On Fri, 17 Mar 2017, Eric Henson wrote: > > As a PCI compliant company, we have to go to great lengths to secure > any system that stores, processes, or transacts credit card data. If > that included our email servers, that would put every single mail > server, every single mail client, including smart phones, in scope > for our PCI audit. That would be a complete nightmare. > > I believe you, but that's not the question -- when's the last time > something bad actually happened due to sending credit card info by > mail? > I used to have my own credit card account and my card processor > demanded PCI compliance. About 1/4 of it was reasonable, 3/4 was cargo > cult stuff that mostly involved stuff like setting packet filters so > they couldn't probe ports that weren't going to answer anyway. > > Oh. We had our PCI compliance "security vendor" tell us we should open > up ports on our NAT so they could probe the NAT for vulnerabilities to > test the security of our > only-turned-on-to-connect-to-virtual-terminal-VM that we used for > credit card processing (not many of our customers pay with credit > cards). We finally "passed" the security sweep by blackholing their > scanning IP addresses.
I've had PCI testers complain when they tried port scans on systems we monitor, and their IPs were blocked almost immediately. They couldn't understand active measures that detect attacks and take actions to prevent damage. They actually wanted me to remove the firewall so they could test. Bill -- INTERNET: b...@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax: (206) 232-9186 Skype: jwccsllc (206) 855-5792 No nation can preserve its freedom in the midst of continual warfare. -- James Madison _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop