Security Basics mailing list archives

RE: PCI Compliance

From: "JD Brown" <jd.brown () smallenoughtocare com>
Date: Thu, 10 Jan 2008 11:21:24 -0500

I've heard good things about Aladdin, although I have no direct
experience with them.  I know that doesn't tell you a whole lot.  We use
RSA SecurID tokens and I will say that it is a solid product, we've had
almost no problems with them.  The only downside is that the Auth
Manager server software is not all that impressive...looks like it
hasn't been re-written since NT days and it is missing some features
that in my opinion should be there by now.  Also, they don't support
Vista yet or at least they didn't the last time I talked to them which
was maybe around October.  HTH.

JD


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Josh Haft
Sent: Wednesday, January 09, 2008 18:36
To: security-basics () securityfocus com
Subject: PCI Compliance

Hello all, need some opinions on PCI compliance.

The company I work for is trying to become PCI compliant by June 30...
we have a long way to go.

According to requirement 8.3 of the PCI DSS, two-factor authentication
is required for remote access.
I've been evaluating Aladdin's eToken product and have been impressed,
especially considering the cost.
My question is whether anyone has had experience with this product in
general or as it relates to PCI compliance.

The execs are concerned because they seem to be a smaller company
(perhaps not as reputable), but mostly because RSA is the only
two-factor auth solution they've heard of, so are hesitant to adopt an
alternative solution.

Thoughts, comments or concerns on this approach to complying with that
section of the PCI DSS would be appreciated.

Josh

-----------------------------------------------------
This e-mail is confidential and may well be legally
privileged. If you have received it in error, you are
on notice of its status. Please notify us immediately
by reply e-mail and then delete this message from 
your system. Please do not copy it or use it for any
purposes, or disclose its contents to any other
person. To do so could violate state and federal
privacy laws. Thank you for your cooperation.

Current thread:

PCI Compliance Josh Haft (Jan 10)
- Re: PCI Compliance Nick Owen (Jan 14)
- RE: PCI Compliance JD Brown (Jan 14)
  - Re: PCI Compliance Stephen Thornber (Jan 14)
    - RE: PCI Compliance Petter Bruland (Jan 16)
    - Re: PCI Compliance Josh Haft (Jan 16)
- Re: PCI Compliance Kartik (Jan 14)
- <Possible follow-ups>
- Re: PCI Compliance Sheldon Malm (Jan 14)
- Re: PCI Compliance Jay (Jan 16)
  - RE: PCI Compliance Petter Bruland (Jan 16)
    - RE: PCI Compliance Michael Benedetto (Jan 17)
    - RE: PCI Compliance Honer, Lance (Jan 18)