[AusNOG] Assistance and Access Bill moves to PJCIS
Paul Wilkins
paulwilkins369 at gmail.com
Mon Oct 22 14:11:33 EST 2018
Except that where subject to an order under 317j to conceal the existence
of a TCN/TAN forms part of the terms.
In those situations, there can be no "warrant canary". An auditor has no
way of knowing if such a direction exists, and someone reading a Report of
Compliance has no way of knowing if such a direction exists. Consequently
every PCI compliance becomes suspect, and consequently the whole PCI
compliance regime is systematically weakened.
Kind regards
Paul Wilkins
On Mon, 22 Oct 2018 at 13:04, Christian Heinrich <
christian.heinrich at cmlh.id.au> wrote:
> Paul,
>
> On Mon, Oct 22, 2018 at 11:32 AM Paul Wilkins <paulwilkins369 at gmail.com>
> wrote:
> > I suppose auditors can qualify any report that mandated TCNs/TANs are
> excepted, but are you then "PCI Compliant"?
>
> Not possible as this would be separate from the Cardholder Data
> Environment (CDE) and the encryption of "data in transit" is PCI-DSS
> Requirement 4.1.c.
>
> If the definition of the CDE were to change in the future then a
> "warrant canary" would signify this within the "Report on Compliance"
> (RoC) or "Self Assessment Questionnaire" (SAQ).
>
>
> --
> Regards,
> Christian Heinrich
>
> http://cmlh.id.au/contact
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20181022/9f77a5cb/attachment.html>
More information about the AusNOG
mailing list