On 22/08/2010, at 7:48 AM, Simon wrote: > yeah, we've done a few of those self assement things, and we could answer yes > to everything with amazon. > > i guess there is some confusion about cloud computing rather than pci > compliance. those questionnaires are all fussed about patching policies, root > access, firewalls etc. with amazon you get all of that. it's not this big > cloudy thing that you have zero control over..
You cannot possibly answer Yes to all the self assessment questions when exclusively using Amazon cloud services for card processing because a bunch of the questions are about the physical security of the data and unless Amazon can provide you with a guarantee of PCI compliance then you cannot answer Yes. For example you cannot guarantee that an unscrupulous employee at amazon cannot access, intercept or otherwise alter any of your "compliant" systems without detection because it involves physical (or virtual in this case) access and audit control guarantees that Amazon do not provide (in fact they explicitly state the exact opposite in the usage agreement). To be compliant you would need to do your card processing elsewhere that can provide such a guarantee. > Simon > > On 21 August 2010 22:15, Miguel Arroz <[email protected]> wrote: > Hi! > > PCI compliance is way more complex than simply passing the port-scan and > automated tests. I don't recall all the details, but you have to answer a > self-assessement form, and in that form I think they ask some stuff that > can't be answered "Yes" if you are using Amazon (or any other cloud service). > > On the other hand, some of those questions have a very vague > interpretation, and others are just plain stupid (like asking if you have an > anti-virus installed on all your company computers, or asking if you have a > proper configured firewall, whatever that means). I'm not defending PCI here, > just saying you can get burned. That's what the compensating controls section is for. The questions have an underlying risk that they try to protect against. In the case of antivirus software, it is to prevent the surreptitious installation of malicious or otherwise unauthorised software on your systems. If you can provide this security by other means then you detail it as a compensating control. -- Seeya...Q Quinton Dolan - [email protected] Gold Coast, QLD, Australia (GMT+10)
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to [email protected]
