RE: PCI/DSS compliant Managed IDS



Hello,
PCI is a contractual arrangement. It is not legistlative.
So the answer is a resonding maybe. OR and it depends.

If the Managed IDS [MIDS] supplier is specifically stating that they are offering PCI-DSS services, than they would have to meet the requirements in either case or it is a trade practices/unfair dealings/false statement issue. This is either a civil tort or criminal offense.

The onus is for the merchant or issuer using the MIDS to ensure that they have a contract stating this. Section 12.8 states:
12.8 If cardholder data is shared with service providers, then contractually the following is required:

12.8.1 Service providers must adhere to the PCI DSS requirements

12.8.2 Agreement that includes an acknowledgement that the service provider is responsible for the security of cardholder data the provider possesses.

This is a contractual arrangement. You also need to read Requirement A.1: Hosting providers protect cardholder data environment

If the merchant etc did not contract to have the provider be PCI-DSS compliant and the provider did not explicitly state that they are, then the merchant is in breach of the PCI-DSS - and NOT the MIDS provider.

Regards,
Craig



Craig Wright
Manager of Information Systems

Direct : +61 2 9286 5497
Craig.Wright@xxxxxxxxxx
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system.

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator@xxxxxxxxxxx

BDO Kendalls is a national association of separate partnerships and entities.

________________________________


From: listbounce@xxxxxxxxxxxxxxxxx on behalf of marino.zini@xxxxxxxxxxxx
Sent: Fri 24/08/2007 1:37 AM
To: focus-ids@xxxxxxxxxxxxxxxxx
Subject: PCI/DSS compliant Managed IDS



Would Managed Security Company providing a Managed IDS service for a company with Tier 1 PCI/DSS compliance have to be PCI/DSS compiaant itself?

Does anyone have an opinion or experience with this?

regards

Marino



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------



Relevant Pages

  • Re: Community Wireless?
    ... expense to me but I've never had the service before so I have no idea ... And this is the provider the town ... this franchise are spelled out in the franchise agreement which the city ... but the contract can tell you lots of important details. ...
    (comp.sys.mac.comm)
  • RE: PCI/DSS compliant Managed IDS
    ... It is important to remember that one of the key reasons PCI/DSS exists ... Subject: PCI/DSS compliant Managed IDS ... provider is responsible for the security of cardholder data the provider ... and not necessarily endorsed by BDO Kendalls. ...
    (Focus-IDS)
  • Re: Community Wireless?
    ... this franchise are spelled out in the franchise agreement which the city ... Go to city hall and get a copy. ... but the contract can tell you lots of important details. ... The provider ...
    (comp.sys.mac.comm)
  • Re: As expected, Apple faces an uphill battle for the iPhone in Europe
    ... I seriously doubt Apple *wants* to have a service provider interfering ... They won't even let you avoid signing a two year contract, ... over you trying to give you a new phone to sign a new subscription. ... the providers pay resellers a big bonus to resellers, ...
    (comp.sys.mac.advocacy)
  • Re: ebay cell phone cant be activated
    ... if the contract from the previous ... > intended for the service provider that you are going to be activated with. ... > basic plan to use it. ...
    (sci.electronics.repair)