Re: PCI Compliance

[Nick Owen <nickowen () mindspring com>]

Josh Haft wrote:
> Hello all, need some opinions on PCI compliance.
>
> The company I work for is trying to become PCI compliant by June 30...
> we have a long way to go.
>
> According to requirement 8.3 of the PCI DSS, two-factor authentication
> is required for remote access.
> I've been evaluating Aladdin's eToken product and have been impressed,
> especially considering the cost.
> My question is whether anyone has had experience with this product in
> general or as it relates to PCI compliance.
>
> The execs are concerned because they seem to be a smaller company
> (perhaps not as reputable), but mostly because RSA is the only
> two-factor auth solution they've heard of, so are hesitant to adopt an
> alternative solution.
>
> Thoughts, comments or concerns on this approach to complying with that
> section of the PCI DSS would be appreciated.

Josh:

As for the second part of your question, it's interesting to me that 
people hang on to certain biases based on the very fact that their 
information is limited.  Big isn't always better.  VC-backed companies 
fail more frequently than non-VC backed companies.  Big companies no 
longer provide stability and commitment to R&D that they once did.   I 
read that RSA is having lay-offs now that they are part of EMC. 
(http://www.theregister.co.uk/2008/01/09/rsa_job_cuts/). I don't mean to 
imply that they will not continue to provide good service, only that 
whatever the repercussions, we know they won't be *as big*.

As for the first part, a number of our customers have passed PCI using 
our system for two-factor. But yesterday, I spoke to a prospect that 
asked if we had been approved by Visa/Mastercard/Amex.  It was my 
understanding that there is no such process/list.  Am I mistaken?

Nick

--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
irc.freenode.net: #wikid