RE: PCI Compliance

["Michael Benedetto" <mbenedetto () amnh org>]

One thing to understand is PCI does not only pertain to electronic systems, but also to printed records and databases 
that may contain the cardholder information. It also pertains to all companies accepting credit cards.

PCI DSS requirement 4.2 states that you should "Never send unencrypted PANs by e-mail". Therefore, accepting 
unencrypted cardholder information via E-mail is a clear violation of PCI. Additionally, the company will have to 
review how it handles that information after the purchase has been processed. For example, how do they store the 
transaction receipts once the purchase has been made?

Michael Benedetto, CISSP, CISM
Senior Associate Director of Information Technology
Network Systems and Information Security
American Museum of Natural History
   Please consider the environment before printing this e-mail


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Petter Bruland
Sent: Wednesday, January 16, 2008 5:18 PM
To: Jay; pacmansyu () gmail com
Cc: security-basics () securityfocus com
Subject: RE: PCI Compliance

He he I knew someone would respond like this :-)

It's not how they normally do VISA transactions, that's done via phone
for the most part.... which I believe we also deemed insecure a few
threads ago.

Yes, they have a looooooong way before they are PCI compliant.

-Petter

-----Original Message-----
From: Jay [mailto:jay.tomas () infosecguru com] 
Sent: Wednesday, January 16, 2008 2:07 PM
To: pacmansyu () gmail com; Petter Bruland
Cc: security-basics () securityfocus com
Subject: Re: PCI Compliance

The bigger question is who is the d@psh@t company receiving visa
information via email. If that is their idea of secure transactional
mechanism they probably have a far path to meet anything in the PCI
requirements.

Jay
----- Original Message -----
From: Josh Haft [mailto:pacmansyu () gmail com]
To: pbruland () fcglv com
Cc: security-basics () securityfocus com
Sent: Wed, 16 Jan 2008 13:44:09 -0600
Subject: Re: PCI Compliance

With my understanding of PCI, I would say yes, absolutely.

On Jan 16, 2008 12:41 PM, Petter Bruland <pbruland () fcglv com> wrote:
> Curious....
>
> If VISA info is emailed to a company, and that company has a VISA card

> machine that they enter the data into and then it dials up VISA to 
> make the transaction. Will that company need to comply with PCI as 
> there is VISA info in their email system?
>
> Thanks for a lot of good feedback on PCI compliance.
>
> -Petter
>
> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com]
>
> On Behalf Of Stephen Thornber
> Sent: Monday, January 14, 2008 12:26 PM
> To: JD Brown
> Cc: Josh Haft; security-basics () securityfocus com
> Subject: Re: PCI Compliance
>
> Just thought you might like to know I have just saved our company a 
> fortune by going with a product from http://www.securenvoy.com/
>
> It does what it says on the packet and works with mobile phones - 
> simple to configure and use.
>
> And they don't pay me for this either....
>
> Stephen
>
> On 10 Jan 2008, at 16:21, JD Brown wrote:
>
> > I've heard good things about Aladdin, although I have no direct 
> > experience with them.  I know that doesn't tell you a whole lot.  We

> > use RSA SecurID tokens and I will say that it is a solid product, 
> > we've had almost no problems with them.  The only downside is that 
> > the
>
> > Auth Manager server software is not all that impressive...looks like

> > it hasn't been re-written since NT days and it is missing some 
> > features that in my opinion should be there by now.  Also, they 
> > don't support Vista yet or at least they didn't the last time I 
> > talked to them which was maybe around October.  HTH.
> >
> > JD
> >
> >
> > -----Original Message-----
> > From: listbounce () securityfocus com
> > [mailto:listbounce () securityfocus com
> > ]
> > On Behalf Of Josh Haft
> > Sent: Wednesday, January 09, 2008 18:36
> > To: security-basics () securityfocus com
> > Subject: PCI Compliance
> >
> > Hello all, need some opinions on PCI compliance.
> >
> > The company I work for is trying to become PCI compliant by June
30...
> > we have a long way to go.
> >
> > According to requirement 8.3 of the PCI DSS, two-factor 
> > authentication
>
> > is required for remote access.
> > I've been evaluating Aladdin's eToken product and have been 
> > impressed,
>
> > especially considering the cost.
> > My question is whether anyone has had experience with this product 
> > in general or as it relates to PCI compliance.
> >
> > The execs are concerned because they seem to be a smaller company 
> > (perhaps not as reputable), but mostly because RSA is the only 
> > two-factor auth solution they've heard of, so are hesitant to adopt 
> > an
>
> > alternative solution.
> >
> > Thoughts, comments or concerns on this approach to complying with 
> > that
>
> > section of the PCI DSS would be appreciated.
> >
> > Josh
> >
> > -----------------------------------------------------
> > This e-mail is confidential and may well be legally privileged. If 
> > you
>
> > have received it in error, you are on notice of its status. Please 
> > notify us immediately by reply e-mail and then delete this message 
> > from your system. Please do not copy it or use it for any purposes, 
> > or
>
> > disclose its contents to any other person. To do so could violate 
> > state and federal privacy laws. Thank you for your cooperation.