Hi Richard,
> Are there plans to incorporate the PCI DSS compliance into BQ Centos?
"PCI DSS compliance" is not something that you can download and install. It
involves methods, procedures and operational practices and has to consider
the entire infrastructure (how it is configured, monitored and maintained;
also who has access to what and when) - not just the server itself.
Therefore this goes much beyond the scope of what BlueQuartz or any Open
Source software project can provide.
The current version of the PCI DSS standard (v1.2) specifies 12 requirements
for compliance, organized into 6 logically related groups, which are
called "control objectives". The control objectives and their requirements
are:
- Build and Maintain a Secure Network
o Requirement 1: Install and maintain a firewall configuration to
protect cardholder data
o Requirement 2: Do not use vendor-supplied defaults for system passwords
and other security parameters
- Protect Cardholder Data
o Requirement 3: Protect stored cardholder data
o Requirement 4: Encrypt transmission of cardholder data across open,
public networks
-Maintain a Vulnerability Management Program
o Requirement 5: Use and regularly update anti-virus software
o Requirement 6: Develop and maintain secure systems and applications
- Implement Strong Access Control Measures
o Requirement 7: Restrict access to cardholder data by business need-to-know
o Requirement 8: Assign a unique ID to each person with computer access
o Requirement 9: Restrict physical access to cardholder data
- Regularly Monitor and Test Networks
o Requirement 10: Track and monitor all access to network resources and
cardholder data
o Requirement 11: Regularly test security systems and processes
- Maintain an Information Security Policy
o Requirement 12: Maintain a policy that addresses information security
PCI also is only one of multiple data security standards that have emerged
over the past decade. Like BS7799, ISF Standards, Basel II,
Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and
Accountability Act (HIPAA), Sarbanes-Oxley Act of 2002 and some others.
Which one of them is applicabe to your type of business also greatly depends
on where you do business.
So all in all I'd say that we certainly will implement some improvements along
the line to make BlueQuartz more secure. Parts of it are already shaping up
nicely for 5106R.
However, "PCI complicance" and "appliance for shared hosting" are generally
conflicting ideas. Anyone that stores credit card data on a server that is
also used for shared hosting has not understood what PCI compliance means. On
a server where you store your "crown jewels" you wouldn't (and shouldn't!)
allow access for anyone that doesn't need access to that box. Also keep in
mind: Most payment processors provide you with interfaces or means which do
not require you to store any credit card data on your own servers. That
doesn't entirely eliminate the need to provide security on your end, but it
shifts the more ugly parts of it onto the shoulders of an entity which
provides secure payment transactions for a living.
Now can you use BlueQuartz to host business websites in a PCI compliant
network? Sure you can. Provided you know what you're doing and follow best
business practices and procedures. But again: This goes much beyond the scope
of Open Source software or the goals of this project
--
With best regards,
Michael Stauber