-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Laurin,
Most of these types of requirements are left open and vague for the
purpose of allowing organizations to determine the best way to meet
them. I am not aware of anything aside from common recommendations
that you would be able to use to show your management team in clear
black and white.
Most of the literature these days recommends that if you are building
out new encryption strategies and systems to meet requirements like
those defined within the PCI framework, you should probably go with
more recent algorithms like AES 256 with SHA-256 (3DES has a limited
lifespan remaining, and SHA-1 is already considered to be at the end
of its usefulness). Key management tends to be an even more
difficult issue to address.
I do not believe this will really help you though - the point that
you have brought up is a fundamental concern among many security
professionals who have difficulty getting management to buy into an
appropriate control driven by compliance, be it encryption, or other
people/process/technology controls. The openness for interpretation
is good in many ways, but can also be a hindrance in some cases.
Best of luck to you in your endeavor,
- -Brad Bemis
Moderator
- -----Original Message-----
From: Laurin Buchanan [mailto:buchanal@mscdirect.com]
Sent: Tuesday, October 18, 2005 2:29 PM
To: 'security-management@securityfocus.com'
Subject: PCI - encryption requirements
Greetings, all,
A question has arisen and, like all the other posts here, I hope
someone might be able to assist me. :>)
In the new PCI Data Security Standard for credit cards, the
documentation indicates a requirement for "strong encryption such as
Triple-DES 128-Bit or AES 256-bit", but no additional information
seems to be provided. My explanations about strong encryption
meaning strong algorithm (no significant know weaknesses), long key
length and appropriate key management schemes are not going far. I
believe they want to see it in black and white for themselves, as I
have received a request to locate a definitive "approved" list and/or
a "not approved" list of algorithms for what constitutes strong
encryption - does anyone know of such a list published by Visa or
Mastercard??
Thanks in advance,
Laurin Buchanan, CISSP
Information Security
MSC Industrial Direct
v: 516.812.1358
This e-mail is intended for the use of the addressee(s) only and may
contain
privileged, confidential, or proprietary information that is exempt
from
disclosure under law. If you are not the intended recipient, please
do not
read, copy, use or disclose the contents of this communication to
others.
Please notify the sender that you have received this e-mail in error
by
replying to the e-mail. Please then delete the e-mail and destroy any
copies
of it. Thank you.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQIVAwUBQ1bO+AiGfsWIs63wAQJBtg//aP06mayViYD+ovxnmBM0yk7+AwZ1qcnH
J3aJvwBmN6mSfJiPvkwwThCMbXikaODj6rQsytxJIlRFbAkBYBBb4LYVkliIXDDx
GC+3u54nUvw1h1yKaltwBSw6xWCwVXDOu7vglyP96/zBx7JmoDa0f8GTGBOboiSF
WvylJho33KX0LGnRQEah39Emk1fQkm02hrDhktCDTpQlRigqAFPyZCNDPv+AXBZv
2T8oV3XstSRQXGP0lfYIx16J/2CTiHtP0juPzW9UhCYTkgude4G0ggjCBypusACz
8d5KIoQUNdx2y66TZyA/Xv3Vpk2foQDQUi2lTcDP1VFJ5WPOAj8BdTImAX3kZcY5
wmcUSK4Jio+uCwRUObD1UVYQ6/kpKp6hkvr4JK6juhs8V7hFdbE9m2r4CchWe1Zf
eUfJZvNDHw9aoO8J4n3rgj2B5FckKWBsq3TgV4mfYj4+KOL82YzXyAn0RzG4qxOB
iYySZam30IkFY9m/CZLISMI37K7nWCNl1Ox18tYniuwnw7FDHKHWXsa1qG3hVQ61
DSgd/bIl/m/U2mYjNrGBW82cPvgf9+0SMB0lu2jCpHK1GeAmffSaw6/As8do12I4
S7+Pg82XhfqT7dnXBhEIX3qsDN4q/9hqXj1Y/C1NEz4D69zvtVHfdIAKgq+C3qYI
79J+Lzp5j0U=
=yzYK
-----END PGP SIGNATURE-----
