Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How will Shellshock affect PCI DSS audits for enterprises?

PCI DSS audits are sure to include a look at Shellshock mitigation. Expert Mike Chapple discusses how organizations can prepare.

With the Shellshock vulnerability gaining attention in recent months, I'm worried it will affect my company's payment...

systems. Will upcoming PCI DSS audits include a look into Shellshock or require mitigation of the threat? And if so, what can my organization do to prepare for that?

The Shellshock vulnerability provides attackers with a back door into vulnerable Unix and Macintosh systems that allows the execution of arbitrary commands on those systems. This is a very serious vulnerability and system administrators should take immediate action to correct it throughout their enterprise environments. Patches are available for all major Unix operating systems and should be applied immediately.

There is no doubt that PCI DSS auditors will look for the Shellshock vulnerability within your cardholder data environment, and I think it is unlikely that an auditor would issue a passing Report on Compliance to any merchant with unpatched, exposed Shellshock issues.

Fortunately, organizations with solid PCI DSS compliance programs should already have several measures in place that would identify and correct this problem. First, the regular vulnerability scans required by PCI DSS should detect the presence of Shellshock on cardholder systems and provide instructions for remediation. Second, PCI DSS 6.2 requires merchants to apply critical security patches within one month of release. Shellshock patches became available in late September 2014, so those patches are already available. Organizations compliant with PCI DSS 6.2 should already have protections in place that correct the Shellshock vulnerability.

Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Next Steps

Check out how to meet PCI DSS requirement 6.6 and keep down costs

This was last published in March 2015

Dig Deeper on PCI Data Security Standard

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Forget compliance - Shellshock is something that companies should be patching anyway, not simply to achieve compliance. This is the whole reason compliance programs exist.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close