PCI DSS auditing — Jesus wept
At first I thought 1st April had come early. Now I’m not sure. Either way it’s hilarious, and if you want a good laugh, please read: Our security [PCI DSS] auditor is an idiot. How do I give him the information he wants?
But after the laugh, have a good weep. These are the people who declare the systems that handle our credit cards to be secure — or not.
In a nutshell, this auditor demanded all his client’s passwords in plaintext. Hey, wait a minute, said the client, and wrote back:
Unfortunately there is no way for us to provide you with some of the information requested, mainly plain-text passwords, password history, SSH keys and remote file logs. Not only are these things technically impossible, but also being able to provide this information would be both against PCI Standards, and a breach of the data protection act.
The auditor replied
As explained, this information should be easily available on any well maintained system to any competent administrator. Your failure to be able to provide this information leads me to believe you are aware of security flaws in your system and are not prepared to reveal them. Our requests line up with the PCI guidelines and both can be met. Strong cryptography only means the passwords must be encrypted while the user is inputting them but then they should be moved to a recoverable format for later use.
That was my emphasis, but the client comments, “I’m going to frame that and put it on my wall.”
Now that we’ve all had a good laugh, the reality can set in. This auditor has the power of declaring a client who stores passwords in ‘a recoverable format’ to be ‘secure’. No wonder we have so many hacks.