Security Basics mailing list archives
RE: PCI Compliance
From: "Michael Benedetto" <mbenedetto () amnh org>
Date: Wed, 16 Jan 2008 19:38:43 -0500
One thing to understand is PCI does not only pertain to electronic systems, but also to printed records and databases that may contain the cardholder information. It also pertains to all companies accepting credit cards. PCI DSS requirement 4.2 states that you should "Never send unencrypted PANs by e-mail". Therefore, accepting unencrypted cardholder information via E-mail is a clear violation of PCI. Additionally, the company will have to review how it handles that information after the purchase has been processed. For example, how do they store the transaction receipts once the purchase has been made? Michael Benedetto, CISSP, CISM Senior Associate Director of Information Technology Network Systems and Information Security American Museum of Natural History Please consider the environment before printing this e-mail -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Petter Bruland Sent: Wednesday, January 16, 2008 5:18 PM To: Jay; pacmansyu () gmail com Cc: security-basics () securityfocus com Subject: RE: PCI Compliance He he I knew someone would respond like this :-) It's not how they normally do VISA transactions, that's done via phone for the most part.... which I believe we also deemed insecure a few threads ago. Yes, they have a looooooong way before they are PCI compliant. -Petter -----Original Message----- From: Jay [mailto:jay.tomas () infosecguru com] Sent: Wednesday, January 16, 2008 2:07 PM To: pacmansyu () gmail com; Petter Bruland Cc: security-basics () securityfocus com Subject: Re: PCI Compliance The bigger question is who is the d@psh@t company receiving visa information via email. If that is their idea of secure transactional mechanism they probably have a far path to meet anything in the PCI requirements. Jay ----- Original Message ----- From: Josh Haft [mailto:pacmansyu () gmail com] To: pbruland () fcglv com Cc: security-basics () securityfocus com Sent: Wed, 16 Jan 2008 13:44:09 -0600 Subject: Re: PCI Compliance With my understanding of PCI, I would say yes, absolutely. On Jan 16, 2008 12:41 PM, Petter Bruland <pbruland () fcglv com> wrote:
Curious.... If VISA info is emailed to a company, and that company has a VISA card
machine that they enter the data into and then it dials up VISA to make the transaction. Will that company need to comply with PCI as there is VISA info in their email system? Thanks for a lot of good feedback on PCI compliance. -Petter -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Stephen Thornber Sent: Monday, January 14, 2008 12:26 PM To: JD Brown Cc: Josh Haft; security-basics () securityfocus com Subject: Re: PCI Compliance Just thought you might like to know I have just saved our company a fortune by going with a product from http://www.securenvoy.com/ It does what it says on the packet and works with mobile phones - simple to configure and use. And they don't pay me for this either.... Stephen On 10 Jan 2008, at 16:21, JD Brown wrote:I've heard good things about Aladdin, although I have no direct experience with them. I know that doesn't tell you a whole lot. We
use RSA SecurID tokens and I will say that it is a solid product, we've had almost no problems with them. The only downside is that theAuth Manager server software is not all that impressive...looks like
it hasn't been re-written since NT days and it is missing some features that in my opinion should be there by now. Also, they don't support Vista yet or at least they didn't the last time I talked to them which was maybe around October. HTH. JD -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com ] On Behalf Of Josh Haft Sent: Wednesday, January 09, 2008 18:36 To: security-basics () securityfocus com Subject: PCI Compliance Hello all, need some opinions on PCI compliance. The company I work for is trying to become PCI compliant by June
30...
we have a long way to go. According to requirement 8.3 of the PCI DSS, two-factor authenticationis required for remote access. I've been evaluating Aladdin's eToken product and have been impressed,especially considering the cost. My question is whether anyone has had experience with this product in general or as it relates to PCI compliance. The execs are concerned because they seem to be a smaller company (perhaps not as reputable), but mostly because RSA is the only two-factor auth solution they've heard of, so are hesitant to adopt analternative solution. Thoughts, comments or concerns on this approach to complying with thatsection of the PCI DSS would be appreciated. Josh ----------------------------------------------------- This e-mail is confidential and may well be legally privileged. If youhave received it in error, you are on notice of its status. Please notify us immediately by reply e-mail and then delete this message from your system. Please do not copy it or use it for any purposes, ordisclose its contents to any other person. To do so could violate state and federal privacy laws. Thank you for your cooperation.
Current thread:
- PCI Compliance Josh Haft (Jan 10)
- Re: PCI Compliance Nick Owen (Jan 14)
- RE: PCI Compliance JD Brown (Jan 14)
- Re: PCI Compliance Stephen Thornber (Jan 14)
- RE: PCI Compliance Petter Bruland (Jan 16)
- Re: PCI Compliance Josh Haft (Jan 16)
- Re: PCI Compliance Stephen Thornber (Jan 14)
- Re: PCI Compliance Kartik (Jan 14)
- <Possible follow-ups>
- Re: PCI Compliance Sheldon Malm (Jan 14)
- Re: PCI Compliance Jay (Jan 16)
- RE: PCI Compliance Petter Bruland (Jan 16)
- RE: PCI Compliance Michael Benedetto (Jan 17)
- RE: PCI Compliance Honer, Lance (Jan 18)
- RE: PCI Compliance Petter Bruland (Jan 16)