Guys,
Youve got to think, "whats the risk". Ok so the acquirers want the data in plain text. Most places I've seen with this requirement install a dedicated link to there acquirer.
If its over a vpn then its going to be encrypted in transport so its no an issue. people get really hung up on this and its not a big deal. Logic doesnt dictate that the standard make data encrypted everywhere. In order for the data to be of some use it will have to be decrypted. Storage of it in a decrypted form is the bigger issue as this is where it is most likely to be compromised. Regular dealings with Visa have shown that they are more interested in the data "at rest" post transaction. As long as sensible protection is applied whilst in transit of course.
People who say that sending unencrpyted data over an encrypted channel is not sending encrpted data are just missing the point.
Thanks for the post.
"As long as sensible protection is applied whilst in transit of course."
Absolutely. And yes, you are right that the Standard does not require encryption everywhere but where it is not encrypted, it must be protected in an appropriate manner.
However, you must accept that encrypted data going over an encrypted channel is better than unencrypted.
That said, it's back to the "risk" argument. If you can protect both ends of the channel properly then the risk is usually low. Put that together with the "other" end of the channel being the acquirer (who should have "proper" controls and protection in place) and it should be acceptable to the auditor.
Dear colleagues,
I would like to inform you that on September 2007 we released an updated version of PTA Professional Edition (1.54 - build 1201) with major usability improvements. The latest version fully supports the PCI DSS 1.1 standard.
PTA – Practical Threat Analysis - is a quantitative method and a software tool that enables you to model the security perimeter of you business, identify threats on an asset-by-asset basis and evaluate the overall risk to the system. The risk level, potential damage and countermeasures required are all presented in real financial values. PTA calculates the level of risk and the available mitigation. It advises on the most cost-effective way to mitigate threats and reduce the risk.
PTA is free-of-charge for students, researchers, software developers and independent security consultants. You are invited to review the latest version's new features and download a free copy of the software from the following link:
http://www.ptatechnologies.com
PTA fully supports the PCI DSS 1.1 standard. Download a free PTA for PCI DSS security library from the following url:
http://www.ptatechnologies.com/?
...ction=documents
Feel free to introduce PTA to your professional colleagues - it is our contribution to the security community. I'll be happy to have your comments and answer your questions on any issue.
Regards,
Zeev Solomonik
R&D - PTA Technologies
http://www.ptatechnologies.com
zeev_at_ptatechnologies_dot_com
http://www.ptatechnologies.com
Thanks for this excellent blog post. I plan to read your blog a lot more.
Commenting by HaloScan
