Re: CC numbers stored on planes

[Robin Wood <robin () digininja org>]

On 24 January 2012 14:18, David Freedman <freedman.j.d () gmail com> wrote:

> I love Robin's point about being concerned with the assessor's abilities
> to explain why something is in scope and what is considered out of scope.
>  We have recently gone through our yearly PCI compliance 2.0 and there was
> a big debate over what was in scope due to the differences between last 4
> of a PAN and full track data.
One place I've found that isn't always automatically considered in scope is
log servers. People turn on full logging and the CC data gets sent off to a
separate machine then they forget to turn it off or to clear it down later.
Also backup locations, the SQL server either generates a SQL dump or a
binary backup of all the data and that is passed to a separate machine,
that machine isn't in the normal flow of data so people forget about it.

Robin

Tony - how did the SIG work out?  Did it provide
> solid compensating controls for the airlines?  I mean this with honest
> curiosity as I think it is interesting that there are some airlines that
> are not PCI compliant.
>
>
> > On Tue, Jan 24, 2012 at 7:56 AM, Tony Turner <tony_l_turner () yahoo com>wrote:
> >
> > >   Many airlines are not PCI compliant. There are complexities to their
> > > business model with airports, common use platforms and travel agents that
> > > create significant difficulties. This was why we created an informal SIG
> > > for Air Travel PCI. Bottom line, don't assume.
> > >
> > >
> > > Sent from Yahoo! Mail on Android
> > >
> > >  ------------------------------
> > > *From: *Scott Rosenthal <scott.r.rosenthal () gmail com>;
> > > *To: *PaulDotCom Security Weekly Mailing List <
> > > pauldotcom () mail pauldotcom com>;
> > > *Subject: *Re: [Pauldotcom] CC numbers stored on planes
> > > *Sent: *Tue, Jan 24, 2012 12:42:11 PM
> > >
> > >   Hi Robin, here in the states many if not all of the airlines are
> > > required to be PCI compliant. That being said those devices should be
> > > considered in scope by the company that is performing their assessment. If
> > > they are truly PCI compliant, all of the credit card numbers stored on
> > > those devices should be encrypted. I hope that helps.
> > >
> > > Scott
> > >
> > > On Mon, Jan 23, 2012 at 10:13 PM, Robin Wood <robin () digininja org>wrote:
> > >
> > > > I've been on quite a few planes where the duty free and the bar allow
> > > > people to pay by credit card. I'd guess the data is stored and
> > > > downloaded to be processed at the end of each flight, if so, that is a
> > > > great target for card thieves. I wonder how many are actually properly
> > > > protected?
> > > >
> > > > Robin
> > > > _______________________________________________
> > > > Pauldotcom mailing list
> > > > Pauldotcom () mail pauldotcom com
> > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > Main Web Site: http://pauldotcom.com
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail pauldotcom com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com