Home > All, Security Issues > PCI DSS auditing — Jesus wept

PCI DSS auditing — Jesus wept

At first I thought 1st April had come early. Now I’m not sure. Either way it’s hilarious, and if you want a good laugh, please read: Our security [PCI DSS] auditor is an idiot. How do I give him the information he wants?

But after the laugh, have a good weep. These are the people who declare the systems that handle our credit cards to be secure — or not.

In a nutshell, this auditor demanded all his client’s passwords in plaintext. Hey, wait a minute, said the client, and wrote back:

Unfortunately there is no way for us to provide you with some of the information requested, mainly plain-text passwords, password history, SSH keys and remote file logs. Not only are these things technically impossible, but also being able to provide this information would be both against PCI Standards, and a breach of the data protection act.

The auditor replied

As explained, this information should be easily available on any well maintained system to any competent administrator. Your failure to be able to provide this information leads me to believe you are aware of security flaws in your system and are not prepared to reveal them. Our requests line up with the PCI guidelines and both can be met. Strong cryptography only means the passwords must be encrypted while the user is inputting them but then they should be moved to a recoverable format for later use.

That was my emphasis, but the client comments, “I’m going to frame that and put it on my wall.”

Now that we’ve all had a good laugh, the reality can set in. This auditor has the power of declaring a client who stores passwords in ‘a recoverable format’ to be ‘secure’. No wonder we have so many hacks.

Categories: All, Security Issues
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s