Security Basics mailing list archives
Re: Database Encryption and PCI issue.
From: amatachick () gmail com
Date: 13 Feb 2008 14:54:25 -0000
M Farid, You might want to take another look at the Database requirements for PCI. They just changed the self assessment questionnaire on the 6th of Feb. I've had to go through the whole thing again because a number of things were changed/explained in more depth. Specifically speaking to database encryption, it looks like Requirement 3.4.1 offers up an option to database table encryption if it's not possible. That option is disk encryption. According to the requirement "If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local system or Active Directory accounts)." Within the guidance given it goes on to say "... to be compliant with this requirement, the disk encryption method cannot have: 1) A direct association with the operating system, or 2) Decryption keys that are associated with user accounts." You can further refer to Appendix B: Compensating Controls in the PCI DSS. I just wanted to make sure you knew that you have options on this one. :) Amy
Current thread:
- Database Encryption and PCI issue. m.farid.shawara (Feb 12)
- Re: Database Encryption and PCI issue. Ansgar -59cobalt- Wiechers (Feb 12)
- <Possible follow-ups>
- Database Encryption and PCI issue. Mohamed Farid (Feb 12)
- Re: Database Encryption and PCI issue. Taras Ivashchenko (Feb 12)
- RE: Database Encryption and PCI issue. m.farid.shawara (Feb 13)
- RE: Database Encryption and PCI issue. Craig Wright (Feb 13)
- RE: Database Encryption and PCI issue. Craig Wright (Feb 12)
- Re: Database Encryption and PCI issue. Taras Ivashchenko (Feb 12)
- Re: Database Encryption and PCI issue. amatachick (Feb 13)