Sounds like you are arguing about the definition of "central". It might help to ask what you are securing with PCI, what is the scope of the compliance, not physically central, and especially how to ensure you have correct and consistent time.
For example, if you are ensuring compliance for "the web application" which exists in two data centers then you want something central to "the web application" which ensures that both data centers have correct and consistent time. What if you put in the servers that you describe, peer them all together, and have only a few "central" systems contact the external time source. "external" to your compliance boundary of course. P.S. I'm not an expert on PCI. On Fri, Sep 25, 2015 at 9:55 AM Matt Butch <apple4e...@me.com> wrote: > Anybody here know about PCI and Time servers? I'm fighting a battle with > our security guy about it. > > Background: we have two e-commerce datacenters (active/failover type) > located on opposite sides of the country that host our web stack, and two > corporate offices near each other that host the business stack (ie email, > file server, AD, warehouse/shipping database system). We also have a host > of stores and warehouses. > > PCI requires that "Critical systems have the correct and consistent time." > (10.4.1). However the testing procedures in that section say "Only the > designated central time server(s) receives time signals from external > sources". He is hung up on that "central" part. > > I want to put time servers in the two e-commerce datacenters as well as > the two corporate offices and peer all of them together, and point our > servers to all of them. He wants to only put them in the two corporate > offices. His argument is that they are then central there. Mine is that > they aren't central to the web stack, and that the web stack will not > maintain correct and consistent time. > > Thoughts? > > -Matt > > -- > > I follow the System Administrators' Code of Ethics: > https://lopsa.org/CodeOfEthics > LOPSA Member > _______________________________________________ > Tech mailing list > Tech@lists.lopsa.org > https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ > -- Perfection is just a word I use occasionally with mustard. --Atom Powers--
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
