PCI/DSS compliant Managed IDS

Would Managed Security Company providing a Managed IDS
service for a company with Tier 1 PCI/DSS compliance have to
be PCI/DSS compiaant itself?

Does anyone have an opinion or experience with this?

regards

Marino

 

------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecuri
ty.com/index.php5?module=Form&action=impact&campaign
=intro_sfw 
to learn more.
------------------------------------------------------------
------------

Hello,
PCI is a contractual arrangement. It is not legistlative.
So the answer is a resonding maybe. OR and it depends.
 
If the Managed IDS [MIDS] supplier is specifically stating
that they are offering PCI-DSS services, than they would
have to meet the requirements in either case or it is a
trade practices/unfair dealings/false statement issue. This
is either a civil tort or criminal offense.
 
The onus is for the merchant or issuer using the MIDS to
ensure that they have a contract stating this. Section 12.8
states:
12.8 If cardholder data is shared with service providers,
then contractually the following is required:

12.8.1 Service providers must adhere to the PCI DSS
requirements

12.8.2 Agreement that includes an acknowledgement that the
service provider is responsible for the security of
cardholder data the provider possesses.

This is a contractual arrangement. You also need to read
Requirement A.1: Hosting providers protect cardholder data
environment
 
If the merchant etc did not contract to have the provider be
PCI-DSS compliant and the provider did not explicitly state
that they are, then the merchant is in breach of the PCI-DSS
- and NOT the MIDS provider.
 
Regards,
Craig



Craig Wright
Manager of Information Systems

Direct : +61 2 9286 5497
Craig.Wrightbdo.com.au
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional
Standards Legislation in respect of matters arising within
those States and Territories of Australia where such
legislation exists.

The information in this email and any attachments is
confidential.  If you are not the named addressee you must
not read, print, copy, distribute, or use in any way this
transmission or any information it contains.  If you have
received this message in error, please notify the sender by
return email, destroy all copies and delete it from your
system. 

Any views expressed in this message are those of the
individual sender and not necessarily endorsed by BDO
Kendalls.  You may not rely on this message as advice unless
subsequently confirmed by fax or letter signed by a Partner
or Director of BDO Kendalls.  It is your responsibility to
scan this communication and any files attached for computer
viruses and other defects.  BDO Kendalls does not accept
liability for any loss or damage however caused which may
result from this communication or any files attached.  A
full version of the BDO Kendalls disclaimer, and our Privacy
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by
emailing administratorbdo.com.au.

BDO Kendalls is a national association of separate
partnerships and entities.

________________________________


From: listbouncesecurityfocus.com on behalf of
marino.ziniuk.clara.net
Sent: Fri 24/08/2007 1:37 AM
To: focus-idssecurityfocus.com
Subject: PCI/DSS compliant Managed IDS



Would Managed Security Company providing a Managed IDS
service for a company with Tier 1 PCI/DSS compliance have to
be PCI/DSS compiaant itself?

Does anyone have an opinion or experience with this?

regards

Marino



------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecuri
ty.com/index.php5?module=Form&action=impact&campaign
=intro_sfw
to learn more.
------------------------------------------------------------
------------

------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecuri
ty.com/index.php5?module=Form&action=impact&campaign
=intro_sfw
to learn more.
------------------------------------------------------------
------------

 Actually, I agree with Craig but don't think he goes quite
far enough. 

There is due diligence that a company should (needs to?) do
as part of
meeting their contractual obligation under PCI/DSS. With a
MIDS vendor,
who keeps the alert logs is a basic question. In my case we
decided that
the vendor must meet the log keeping requirement but that we
would get a
copy of the archive each month and maintain our own copies
of the alert
logs.

It is important to remember that one of the key reasons
PCI/DSS exists
is to transfer risk/liability from the issuers to the
merchants. This is
not to denigrate the fact that PCI/DSS can lead to improved
security
practices.

Mike

-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com]
On Behalf Of Craig Wright
Sent: Thursday, August 23, 2007 3:52 PM
To: marino.ziniuk.clara.net; focus-idssecurityfocus.com
Subject: RE: PCI/DSS compliant Managed IDS

Hello,
PCI is a contractual arrangement. It is not legistlative.
So the answer is a resonding maybe. OR and it depends.
 
If the Managed IDS [MIDS] supplier is specifically stating
that they are
offering PCI-DSS services, than they would have to meet the
requirements
in either case or it is a trade practices/unfair
dealings/false
statement issue. This is either a civil tort or criminal
offense.
 
The onus is for the merchant or issuer using the MIDS to
ensure that
they have a contract stating this. Section 12.8 states:
12.8 If cardholder data is shared with service providers,
then
contractually the following is required:

12.8.1 Service providers must adhere to the PCI DSS
requirements

12.8.2 Agreement that includes an acknowledgement that the
service
provider is responsible for the security of cardholder data
the provider
possesses.

This is a contractual arrangement. You also need to read
Requirement
A.1: Hosting providers protect cardholder data environment
 
If the merchant etc did not contract to have the provider be
PCI-DSS
compliant and the provider did not explicitly state that
they are, then
the merchant is in breach of the PCI-DSS - and NOT the MIDS
provider.
 
Regards,
Craig



Craig Wright
Manager of Information Systems

Direct : +61 2 9286 5497
Craig.Wrightbdo.com.au
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551
Sydney NSW 2001
Fax +61 2 9993 9497 www.bdo.com.au

Liability limited by a scheme approved under Professional
Standards
Legislation in respect of matters arising within those
States and
Territories of Australia where such legislation exists.

The information in this email and any attachments is
confidential.  If
you are not the named addressee you must not read, print,
copy,
distribute, or use in any way this transmission or any
information it
contains.  If you have received this message in error,
please notify the
sender by return email, destroy all copies and delete it
from your
system. 

Any views expressed in this message are those of the
individual sender
and not necessarily endorsed by BDO Kendalls.  You may not
rely on this
message as advice unless subsequently confirmed by fax or
letter signed
by a Partner or Director of BDO Kendalls.  It is your
responsibility to
scan this communication and any files attached for computer
viruses and
other defects.  BDO Kendalls does not accept liability for
any loss or
damage however caused which may result from this
communication or any
files attached.  A full version of the BDO Kendalls
disclaimer, and our
Privacy statement, can be found on the BDO Kendalls website
at
http://www.bdo.com.au or
by emailing administratorbdo.com.au.

BDO Kendalls is a national association of separate
partnerships and
entities.

________________________________


From: listbouncesecurityfocus.com on behalf of
marino.ziniuk.clara.net
Sent: Fri 24/08/2007 1:37 AM
To: focus-idssecurityfocus.com
Subject: PCI/DSS compliant Managed IDS



Would Managed Security Company providing a Managed IDS
service for a
company with Tier 1 PCI/DSS compliance have to be PCI/DSS
compiaant
itself?

Does anyone have an opinion or experience with this?

regards

Marino



------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world
attacks from
CORE IMPACT.
Go to
http://www.coresecurity.com/inde
x.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------
------------

------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world
attacks from
CORE IMPACT.
Go to
http://www.coresecurity.com/inde
x.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------
------------


------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecuri
ty.com/index.php5?module=Form&action=impact&campaign
=intro_sfw
to learn more.
------------------------------------------------------------
------------