Re: PCI Compliance

["Josh Haft" <pacmansyu () gmail com>]

With my understanding of PCI, I would say yes, absolutely.

On Jan 16, 2008 12:41 PM, Petter Bruland <pbruland () fcglv com> wrote:
> Curious....
>
> If VISA info is emailed to a company, and that company has a VISA card
> machine that they enter the data into and then it dials up VISA to make
> the transaction. Will that company need to comply with PCI as there is
> VISA info in their email system?
>
> Thanks for a lot of good feedback on PCI compliance.
>
> -Petter
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
>
> On Behalf Of Stephen Thornber
> Sent: Monday, January 14, 2008 12:26 PM
> To: JD Brown
> Cc: Josh Haft; security-basics () securityfocus com
> Subject: Re: PCI Compliance
>
> Just thought you might like to know I have just saved our company a
> fortune by going with a product from http://www.securenvoy.com/
>
> It does what it says on the packet and works with mobile phones - simple
> to configure and use.
>
> And they don't pay me for this either....
>
> Stephen
>
> On 10 Jan 2008, at 16:21, JD Brown wrote:
>
> > I've heard good things about Aladdin, although I have no direct
> > experience with them.  I know that doesn't tell you a whole lot.  We
> > use RSA SecurID tokens and I will say that it is a solid product,
> > we've had almost no problems with them.  The only downside is that the
>
> > Auth Manager server software is not all that impressive...looks like
> > it hasn't been re-written since NT days and it is missing some
> > features that in my opinion should be there by now.  Also, they don't
> > support Vista yet or at least they didn't the last time I talked to
> > them which was maybe around October.  HTH.
> >
> > JD
> >
> >
> > -----Original Message-----
> > From: listbounce () securityfocus com
> > [mailto:listbounce () securityfocus com
> > ]
> > On Behalf Of Josh Haft
> > Sent: Wednesday, January 09, 2008 18:36
> > To: security-basics () securityfocus com
> > Subject: PCI Compliance
> >
> > Hello all, need some opinions on PCI compliance.
> >
> > The company I work for is trying to become PCI compliant by June 30...
> > we have a long way to go.
> >
> > According to requirement 8.3 of the PCI DSS, two-factor authentication
>
> > is required for remote access.
> > I've been evaluating Aladdin's eToken product and have been impressed,
>
> > especially considering the cost.
> > My question is whether anyone has had experience with this product in
> > general or as it relates to PCI compliance.
> >
> > The execs are concerned because they seem to be a smaller company
> > (perhaps not as reputable), but mostly because RSA is the only
> > two-factor auth solution they've heard of, so are hesitant to adopt an
>
> > alternative solution.
> >
> > Thoughts, comments or concerns on this approach to complying with that
>
> > section of the PCI DSS would be appreciated.
> >
> > Josh
> >
> > -----------------------------------------------------
> > This e-mail is confidential and may well be legally privileged. If you
>
> > have received it in error, you are on notice of its status. Please
> > notify us immediately by reply e-mail and then delete this message
> > from your system. Please do not copy it or use it for any purposes, or
>
> > disclose its contents to any other person. To do so could violate
> > state and federal privacy laws. Thank you for your cooperation.