[Scown]

Complying with payment card industry (PCI DSS) requirements is an absolutely insane process, even if you're vaguely technically literate.

Obviously not saying payment processing isn't an incredibly important area to enforce good security practice. But it's a lonely place to be when you're attesting to hundreds of ridiculous requirements relating to your overpriced, off-the-shelf POS system and anything/anyone that touches it.

"Yes. Yes. Yes. Yes. Absolutely, yes." Cross fingers. Repeat annually.

[CWuestefeld]

Maybe you're certifying at a lower level. I had to prove pretty much everything.

We have a "wallet" function, in support of which there's a DB that stores encrypted credit card numbers (they're encrypted by the app, so the DB never sees the cleartext). Obviously this database is backed up periodically. The auditor forced me to restore one of those backups and show them the content of the restored table, in order to prove that the backup/restore operation didn't magically decrypt the data.

This is something that I would have been willing to sign any document to certify, without having actually run the experiment. But they wanted screenshots.

They also told us that all employees need to have obfuscated email addresses to protect against spear phishing. That's when the infosec team finally told them they were being ridiculous.

[empath75]

Also has lovely requirements like having antivirus installed on your Linux servers.

[TazeTSchnitzel]

Is that wrong? Malware does exist for Linux, and that way you can also detect malware designed for other systems if it ends up on the machine.

[kbenson]

It depends on the AV.

Either the AV ties into the kernel with a module, in which case it can also be an avenue for an increased permissions exploit, or it doesn't have any special kernel level capabilities, in which case it will never find rootkits that include kernel modules to hide themselves.

Personally, I would be happy with an open source community based disk scanner looking for weirdly named files and folders (there are common variants used in hacks) and a locked down selinux config. Bonus points if you compile a kernel that doesn't allow modules (but IIRC that doesn't preclude kernel level shenanigans).

Interestingly, it looks like since the PCI requirement for AV is for "all systems commonly affected by malicious software" they don't actually require it of all Linux systems in all cases.[1]

1: https://security.stackexchange.com/questions/58345/how-to-pa...

[hyperpape]

Antivirus software is not particularly effective, and also a significant attack vector. You can find several interesting stories just by searching antivirus on HN: https://hn.algolia.com/?query=antivirus&sort=byPopularity&pr....

[tbirrell]

Depending on scale, its usually easier to spin a new server than prevent malware.