Known vulnerability patching rates

The PCI DSS Barbecue

I predict that on 1 July 2018, I will be calmly eating a barbecue sandwich, talking with friends and possibly, I will burn a copy of the RFC2246: TLS version 1.0 standard for entertainment value.  Those will less effective Vendor, Network, Systems, Application and Cryptography management processes in place will feel as if they are being barbecued more than enjoying this day.  This will happen for several reasons.

No one identified all the dependencies in the use of cryptography with Vendors, the firm itself or its customers.  These waited until 29 June 2018 to open up a change ticket and discovered that it was not a simple technology matter.  Further, these did not authorize internal vulnerability scans outside of PCI in scope systems to find all the not inscope systems that will prevent PCI in scope systems from being fully compliant.  Finally, there will be a Vendor with a truly horrible website where their best day cryptography will be lower than the firm’s worst day cryptography standards. That vendor likely will be a regulator so only a friendly request to add improved cryptography on their website will work.

Enjoy the barbecue rather than be barbecued.

Look at your vendor websites, it is free:

Scan your whole internal network to find your dependent systems.  

Consider your lead times.  A simple patch can fix the issue in 30 days.  Escalating the case for a vendor to find a patch, test it, deploy it, upgrade your systems and then deploy to production along with dependencies on other systems can take 6 months. One has until 31 December 2017 to find these.  If not, 30 June 2018 as a PCI compliant date will become technologically infeasible.  Who knows, maybe a new round of segmentation might create mitigating controls. One can dance and evade the true intent of PCI DSS requirements, maybe this will save the firm from the implications of lack of compliance with PCI DSS requirements while doing business with payment cards.

You must sign in to rate content.


There are no comments yet for this post.

Leave a Comment

You must be logged in to post a comment.