From: Craig Wright (cwright@bdosyd.com.au)
Date: Fri Mar 03 2006 - 20:45:10 EST
PPS.
Working for a Globally approved PCI Audit partner for Visa I more than well and truely understand the difference from a scan and an audit. Next BDO Australia is a Chartered Partnership, and there are (like for CPA's in the US) requiremnts for what you can legally call an audit.
The minimal PCI Audit standards includes a 46 page checklist of all items which need to be covered in detail. Each of these points is a 5-10 page document that needs to be checked . Most firms doing this will still not even call these an audit or at least have exclusion clauses.
The PCI scanning standards consist of a 5 page base document, and expanded 12 page doument and a 13 page checklist. They also link to the self assessment questionaire. From this each firm needs to create and submit their own process document. They are held liable for breach if any of the following occurs;
1 They do not meet or exceed the minimum set standards
2 The set processes are not adequate under due care and process.
The comment on the legality has to do with changes in the law for financial auditors and those who are involved with the audit of financial systems. I REALY hope that most of the people on the list who do these are knowledgable evough to include the following in their contracts;
"This body of work represents an agreed proceedure only and doen not in any way constitute an audit".
If not you may find that you are now not only liable for failure to discover a vulnerability under tort but also liable to possible criminal sanctions and are not for the most part "legally professionals". Not to get into the definition of proifessional, but under NSW (Australian) legistlation there are limitations under the Professional Liability and Limitations scheme. IT security people are not just professionals by law because they call themself a professional. There are other requirements in other areas. For example there are requiremnts in California to legally call yourself an engineer. Call yourself one on the lists and by jobs by all means - but if (and I hopoe this is not the case) you go to court this is something to consider.
Regards
Craig
-----Original Message-----
From: Derek Nash [mailto:ddnash@gmail.com]
Sent: Sat 4/03/2006 9:51 AM
To: Craig Wright
Cc: pen-test@securityfocus.com
Subject: Re: VISA/Mastercard PCI Vendor Scanning requirements
Although you are correct in that it doesn't state a blind test. The
sample environment you are required to scan for certification is a
remote environment which precludes an onsite visit and normal data
information gathering phases that would be performed during a full
security assessment.
PCI testing is narrow in scope and specific in its requirements. I am
simply trying to determine what others are doing to meet the minimum
requirements to perform a PCI scan under the industry requirements.
Please do not confuse this with a PCI audit which is a much larger
undertaking and more closely matches a "full on" security assessment.
Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.
DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.
Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.
BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:36 EDT