Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PCI Compliance

From: Kartik <kartik.netsec () gmail com>
Date: Thu, 10 Jan 2008 23:41:07 +0530
Josh,

My customer (In US) also successfully went for PCI compliance last
year, we used RSA 2factor authentication in that scenario. So, whoever
comes in to the network via VPN, will get authenticated by RSA.

For PCI compliance, you can also consider the things like enabling the
tunnel guard (checking the updated AV, patches etc on the client's
m/c) on your gateway VPN device.

Thanks,
Kartik
Global Security Operations Center
HCL Technologies ISD
www.hcl.in

On 1/10/08, Josh Haft <pacmansyu () gmail com> wrote:

Hello all, need some opinions on PCI compliance.

The company I work for is trying to become PCI compliant by June 30...
we have a long way to go.

According to requirement 8.3 of the PCI DSS, two-factor authentication
is required for remote access.
I've been evaluating Aladdin's eToken product and have been impressed,
especially considering the cost.
My question is whether anyone has had experience with this product in
general or as it relates to PCI compliance.

The execs are concerned because they seem to be a smaller company
(perhaps not as reputable), but mostly because RSA is the only
two-factor auth solution they've heard of, so are hesitant to adopt an
alternative solution.

Thoughts, comments or concerns on this approach to complying with that
section of the PCI DSS would be appreciated.

Josh
Previous By Date Next
Previous By Thread Next

Current thread: