[ntp:questions] General ntp architecture question

Ryan Malayter malayter at gmail.com
Fri Aug 6 12:54:50 UTC 2010

On Tue, Aug 3, 2010 at 3:02 PM, E-Mail Sent to this address will be
added to the BlackLists <Null at blacklist.anitech-systems.invalid>
> Danny Mayer wrote:
>> Ryan Malayter wrote:
>>> PCI requirements
>> Ryan can you please give quote the reference to this document?
> <http://pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf>
>> You also didn't state in what jurisdiction this is valid.
> Compliance is mandated by the payment card brands.
>  e.g. American Express, Discover, MasterCard, Visa, ...
>  are all involved.

Correct. Any organization that accepts credit/debit cards anywhere in
the world should be very familiar with the Payment Card Industry Data
Security Standards (PCI-DSS). The initiative has been ongoing for five
years or more, and July 1, 2010 was a recent deadline for
organizations to comply or start getting fines for using non-compliant
systems for handling credit card data.

Basically, if you're not PCI-DSS complaint, the card companies or your
processor can fine you, or simply cut you off at their discretion.
They may also assume little or no financial liability for fraudulent
transactions if you are not complaint at the time of a card-holder
data compromise.

Time synchronization is just one very small piece of the PCI-DSS
requirements. Depending on the category of merchant you are, there
might be hundreds of security-related policy and technology
requirements you need to address. It's not inexpensive, but the
massive amount of online card fraud and huge number of woefully
insecure web applications made it a necessity.

Many organizations are simply moving to outsourcing all credit/debit
card transactions so that none of their systems ever see card data at
all. This puts you in the "easiest" category for PCI-compliance.



More information about the questions mailing list