Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: PCI - encryption requirements

from [dave kleiman] Network Security [Permanent Link]
Subject: RE: PCI - encryption requirements
Date: Wed, 19 Oct 2005 19:32:32 -0400 
Laurin

Although I have not seen any of them give an "approved" list, The PCI,
Security Operating Policy (DSOP), Discover Information Security and
Compliance (DISC), MasterCard Site Data, Protection (SDP), Visa
International Account Information Security (AIS), and Visa USA Cardholder
Information Security Program
(CISP) all seem to mention algorithms that are FIPS-140 approved.

I am by no means suggesting that there is a relationship there, simply
making an observation.  Seems I would feel safe choosing FIPS-140 approved
algorithms to show due diligence.

Hope that sheds some light.

Regards,

Dave




-----Original Message-----
From: Laurin Buchanan [mailto:buchanal@mscdirect.com]
Sent: Tuesday, October 18, 2005 17:29
To: 'security-management@securityfocus.com'
Subject: PCI - encryption requirements

Greetings, all,

A question has arisen and, like all the other posts here, I
hope someone might be able to assist me.  :>)

In the new PCI Data Security Standard for credit cards, the
documentation indicates a requirement for "strong encryption
such as Triple-DES 128-Bit or AES 256-bit", but no additional
information seems to be provided.  My explanations about
strong encryption meaning strong algorithm (no significant
know weaknesses), long key length and appropriate key
management schemes are not going far.  I believe they want to
see it in black and white for themselves, as I have received
a request to locate a definitive "approved" list and/or a
"not approved" list of algorithms for what constitutes strong
encryption - does anyone know of such a list published by
Visa or Mastercard??

Thanks in advance,

Laurin Buchanan, CISSP
Information Security
MSC Industrial Direct
v: 516.812.1358




This e-mail is intended for the use of the addressee(s) only
and may contain
privileged, confidential, or proprietary information that is
exempt from
disclosure under law. If you are not the intended recipient,
please do not
read, copy, use or disclose the contents of this
communication to others.
Please notify the sender that you have received this e-mail
in error by
replying to the e-mail. Please then delete the e-mail and
destroy any copies
of it. Thank you.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Top Information Security Management Challenges in the Enterprise Today?, Samir Pawaskar
Next by Date:  RE: PCI - encryption requirements, Brad Bemis
Previous by Thread:  PCI - encryption requirements, Laurin Buchanan
Next by Thread:  RE: PCI - encryption requirements, Brad Bemis
Indexes:  [Date] [Thread] [Top] [All Lists]