Dealing with auditors (was Re: We hit half-million: The Cidr Report)

TGLASSEY tglassey at
Thu May 1 16:04:57 UTC 2014

Bill - anything that puts another routable network alongside of the card 
processing info is in scope. The real; issue is that the PCI-SSC decided 
to formally create a policy to hold the auditors harmless in their 
actions and that is about to change.


On 5/1/2014 8:52 AM, William Herrin wrote:
> On Thu, May 1, 2014 at 6:29 AM, Alain Hebert <ahebert at> wrote:
>>      Bill & Telnet...
>>          I hope that QSA didn't let you keep that telnet facing any
>> public interface without any protection.
> Hi Alain,
> The point I made, successfully, was that it was outside the firewall
> hence out of scope for the audit. What I do in a different security
> domain from the one which handles the credit card transactions is none
> of their business.
> Regards,
> Bill Herrin


Personal Email - Disclaimers Apply

More information about the NANOG mailing list