Comments on: PCI DSS Position on Patching May Be Unjustified http://www.bloginfosec.com/2008/06/27/pci-dss-position-on-patching-may-be-unjustified/ An Information Security Magazine in a Blog Format Mon, 30 Jan 2012 11:01:25 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Adam Shostack http://www.bloginfosec.com/2008/06/27/pci-dss-position-on-patching-may-be-unjustified/comment-page-1/#comment-8875 Adam Shostack Mon, 30 Jun 2008 15:33:58 +0000 http://www.bloginfosec.com/?p=463#comment-8875 Thanks for the mention, Jeff! I'm glad we inspired you to do this, and I've posted some thoughts in response at http://www.emergentchaos.com/archives/2008/06/in_the_land_of_the_blind.html Thanks for the mention, Jeff! I’m glad we inspired you to do this, and I’ve posted some thoughts in response at http://www.emergentchaos.com/archives/2008/06/in_the_land_of_the_blind.html

]]> By: Jens Laundrup http://www.bloginfosec.com/2008/06/27/pci-dss-position-on-patching-may-be-unjustified/comment-page-1/#comment-8874 Jens Laundrup Mon, 30 Jun 2008 15:32:45 +0000 http://www.bloginfosec.com/?p=463#comment-8874 Well said Jeff. I would be willing to bet that they (The Payment Card Industry) do not follow their own patching mandate. It reflects the overall problem with PCI DSS, that it is too prescriptive but fails to meet the intended objective. We can draw a similar parallel to the Department of Defense where they often have a checklist that they have to go through to show compliance with a security directive. The problem with them is you can show compliance with the checklist or with PCI and be inadequately secured, thus meeting the letter of law but failing at the intent. It is time for the PCI to start thinking about adopting a different tactic. In my opinion, certification to ISO/IEC 27001 would do much more to meet the intent of PCI DSS than PCI DSS does today. Well said Jeff.
I would be willing to bet that they (The Payment Card Industry) do not follow their own patching mandate. It reflects the overall problem with PCI DSS, that it is too prescriptive but fails to meet the intended objective. We can draw a similar parallel to the Department of Defense where they often have a checklist that they have to go through to show compliance with a security directive. The problem with them is you can show compliance with the checklist or with PCI and be inadequately secured, thus meeting the letter of law but failing at the intent. It is time for the PCI to start thinking about adopting a different tactic.
In my opinion, certification to ISO/IEC 27001 would do much more to meet the intent of PCI DSS than PCI DSS does today.

]]>