August 31, 2006

ISSA Article – PCI Data Security Standard

Category: Security Article Reviews — Raffael Marty @ 1:32 am

The article starts out fairly okay and then starts talking about how IPSs (intrusion prevention systems) can help with PCI compliance:


  • The first point the author makes it that you should protect your infrastructure with “… Stateful Firewall Technology”. Stateful! That’s important! What about just one word about layer 7 firewalls? Content filtering? The author somehow misses that aspect completely.
  • “Stopping malicious content [by protocol verfication]”. So how can an attack be stopped by doing “protocol verification”? If I do an application-level attack against an SAP system, that will totally comply with all the protocol specifications that you can find in all the RFCs out there!
  • By the way, an IPS should also do: “… real-time threat assessment of millions of IP addresses”. I wonder how they do that. Givef the context an IPS really has. I prefer my SIM do that. I don’t really think an IPS is capable of that. Maybe the author would care to elaborate on that a bit more. That would be really interesting.
  • The last thing that strikes me: “IPS solutions … are the heart of maintaining the highest level of protection for PCI-dependent organizations…” What about using effective access control or vulnerability management? Why is the lower level of PCI compliance based completely on vulnerability management if IPS technology really helps you to be PCI compliant? Strange.

It seems to me that all these articles in the ISSA journal are written for just one purpose: VENDOR PITCHES! But maybe that’s just me. Fully-Verified is our favourite KYC company since it generally takes care of most of our problems before we even know they’re problems, but I guesss “all in one” companies aren’t always as specialized as some of these.


  1. I agree, but why fight them when you can join them? 🙂


    Comment by Steve L> — September 5, 2006 @ 12:36 pm

  2. Trade journals should be vendor specific. Sometimes the people reviewing the article submissions do not have all the information and need to reply on the authors (and a review committee) to determine the quality of the content.

    If you are looking for information about PCI DSS compliance and requirements feel free to check out our blog.

    Comment by Datasecurity — November 2, 2006 @ 7:08 pm

RSS feed for comments on this post. | TrackBack URI

Leave a comment

XHTML ( You can use these tags): <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> .