RE: PCI question - anonymous users from uploading files

I would agree with Jason, as long a compromise of the FTP server could
not lead to a credit card exposure (via network segmentation through
VLANs and/or firewalling) you should be able to take the FTP server out
of scope for PCI.


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Jason Thompson
Sent: Tuesday, January 15, 2008 2:41 PM
To: J. Lion
Cc: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: PCI question - anonymous users from uploading files

I don't have a 100% yes or no, but does the ftp server have any PAN
data on it or within the same network or is the ftp server completely
separate from all PAN processing, transactions and storage?

As per the PCI DSS: 8.5.8 Do not use group, shared, or generic
accounts and passwords

However if the system has no interaction at all with PAN data and if
the ftp server becomes compromised it will not impact the PAN
environment, you might be ok...

I'd defer to others who may have been through this. My only experience
with anonymous FTP & PCI was with a company that had anonymous FTP
enabled on their database server that housed PAN data, so I helped
them fix that :). Pretty clear cut in that case. :)


On Jan 15, 2008 9:58 AM, J. Lion <jv4l1n4@xxxxxxxxx> wrote:
Is there a PCI requirement for preventing anonymous users from
uploading files (non PAN related files, like images or catalog data)?

SMART Business Advisory and Consulting, LLC and SMART and Associates, LLP have an alternative practice structure. The two companies are separate and independent legal entities that work together to meet clients' business needs. SMART Business Advisory and Consulting, LLC is not a licensed CPA firm.

This message may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient (or authorized to act on behalf of the intended recipient) of this message, you may not disclose, forward, distribute, copy, or use this message or its contents. If you have received this communication in error, please notify us immediately by return e-mail and delete the original message from your e-mail system.