Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

For those that might not understand the compliance requirement, PCI compliance is a good example. If you process credit card payments, you need to be PCI (Payment Card Industry) compliant. And PCI DSS Requirement 5.1 [1] states

>Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).

So most enterprise companies have to have AV on their workstation and servers (yes Mac and Linux too) in order to keep processing credit card payments.

[1] https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_...



Sounds like there's an opportunity for micro AV: the smallest possible compliant antivirus software.


That's called Windows Defender.

Before that, you could drive down the big vendors, alot. I think I paid like $2/pc/year for McAfee back in the day.


Sounds like Windows Defender is not listed as a compliant antivirus?


I haven't done a PCI project with windows in a long time. If it isn't compliant, it's probably because it's unmanaged.

If you use SCEP (Windows Defender Managed by SCCM) or other tools, you're probably ok. But don't quote me!


Does this apply to things like Square card readers plugged into an iPhone?


In that case Square is the payment processor. The vendor using the Square reader is not required to be PCI DSS compliant, only Square is. Same for accepting Paypal, Stripe, etc.


> Same for accepting Paypal,

Definitely not the case for Paypal.

As soon as the charges cross certain rolling dollar amount, one needs to complete a security assessment that requires AV in addition to a pile of other idiotic things - such as a specific set of signatures returned by the web servers in a scan by TrustWave. Unrecognized signature? Failed!

Source: first hand experience.


I've done PCI/DSS consulting. For the biggest provider of online loan servicing, in fact. Over 80% of all online loans are processed through their system, mostly done as a white-label service for virtually every big bank, credit union, or other financial services provider in existence.

The reality of PCI/DSS is a bit more ... complex.

What it really comes down to is whatever your auditor says you have to do in order to meet the requirements. And history has already taught us that if your auditor is one of the Big Accounting firms, then they can be ... flexible ... if you're a big enough customer.

So, there's the letter of the law, and then there's what you actually have to implement in your code. And the two may have relatively little to do with each other.

Just make sure that you document everything you do within an inch of your life and the life of the code in question, so that when there is a breach (and there WILL be a breach), you're not the one that is being left out in the cold.


Is that Paypal's requirement, or a PCI DSS requirement?


PCI DSS.

Paypal told us it applied to us and we either had to do it or they would block our seven digit monthly charges.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: