10 Feb
2009
10 Feb
'09
8:57 a.m.
However the PCI DSS does contain a "Compensating controls" section, which allows for the use of functionality which "provide[s] a similar level of defense" to the stated requirements, where the stated requirements can not be followed due to "legitimate technical or documented business constraints"
Now the fact that RFC1918 addresses don't work with IPv6 is clearly a "legitimate technical ... constraint", so as long as you could successfully argue that a stateful firewall or other measures in place provided equivalent security as NAT you should be fine.
Excellent loophole! Although I wonder how many clueful auditors are out there and able to make this fly ...