PCI DSS benefit Open Source
Over the past few weeks and months I’ve been helping to develop a PCI DSS System for a client.It is necessary to a few integrity checks,tripwire monitors to set up and automate – and having the services that are running audited for secure protocols – aa well as policies in place to make sure that any holes are patched and recorded properly. It’s been quite a big learning experience for me – not only in the technological challenges, but the managerial “nuances” of passing an audit.
The first thing is that the PCI requirements are the same across all companies that handle/store credit card data.It has 12 main requirements, each of them having sub-requirements which go into more specific detail.Some things are stated like password policies and log retention periods. It’s hardly environmentally friendly either – as at least two (if not three) different physical servers are needed to fulfil the requirements – and for backup purposes that doubles if you’re going to have failover redundancy.
For security by Obscurity
One of the biggest pains I had with the PCI DSS implementation was that there wasn’t much guidance or howtos on how other people had secured their PCI systems.In fact well it’s not too surprising – you’re hardly going to want to publish details about how you’ve done it if your securing a system. However, security by obscurity is as good as none when someone finally breaks the obscurity.
Together we prevail, divided we fall.
I would argue that this should be a motto of every open source group functioning. It would save so much time and money if, for example, Red Hat were to provide a “PCI compliant” authentication server and webserver cluster. Imagine setting up two servers and running:
rpm -ivh wwwserver,rpm -ivh dbserver
It had save total time and effort depend on an individual systems administrator.
