PCI DSS

Over the past three years, I’ve been gaining plenty of experience in managing Gnu/Linux systems. One of the most interesting projects I’ve worked on over the last three years has been the PCI DSS requirement set for companies holding credit card data.

When I first came across these PCI requirements, I was still very much ‘wet behind the ears’ and ended up having a fairly backseat role in the System Design and implementation. However, we successfully went live with the systems, and since then it was pretty much left to me and a couple of others to keep the systems running smoothly.

Since getting back from India, over 50% of my time has been spent working with a larger team on PCI compliance. The hardest thing about making a previously non-compliant business into a compliant business isn’t just about technical details, but making sure all the processes and procedures are effectively audited to make sure that none of them break compliance. For a medium sized organisation this takes effort, and kudos must go to the people in the organisation for allowing previously valid methods to be scrutinised and broken; all in the name of compliance.

The best thing about the PCI compliance though, was that we’ve been able to achieve it using 100% open source software. At time I’ve been tempted to suggest that maybe our efforts are best placed in getting some commercial software that can do the management of our logging, can do our alerting and reporting, and make sure that our time isn’t spent doing that. However, in relying on a third party service, we realised that would just make us complacent. If we were to manage the systems, we needed to know every bit, thus we came up with a solution together.

It’s been awesome working on this for the last 11 months. We’ve had our highs and lows (as any team has), but we’ve also been able to deliver a pretty stable system. We’ve got a LogViewer setup (which I wrote in django – probably going to be another post later on), our IDS and Application Firewall, and Nagios and Munin for spotting trends in our growth and alerting us to any problems with the systems.

The biggest bonus though, is that we have a team that are 100% committed to success. It’s something that you can’t buy. When I’ve fallen short, they’ve been there to stand in ad finish off a job, and we’ve got a real good camradarie. It’s got so good that we’re even writing each others documentation!

So I’d just like to post a public Thank you! The guys know who they are and I look forward to continuing my work with them for the foreseeable future.

Posted Thursday, November 18th, 2010 under ICT.