Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: PCI - encryption requirements

from [Richard . Sullivan] Network Security [Permanent Link]
Subject: Re: PCI - encryption requirements
Date: Wed, 19 Oct 2005 20:43:43 -0400 
Hi Laurin,

Last I heard, MC and Visa hadn't specified anything in particular (mostly 
for liability reasons, I imagine). Also, the big three US credit bureaus 
are supposedly working together on an "industry-wide" encryption standard. 
Presumably, the major cc companies will adopt this standard when it's 
ready, so you might want to go with the least expensive 128-bit solution 
short term.

In the meantime, try to explain to your management that PCI is a "good 
security practice" guideline intended to make sure you cover all the 
bases. Maybe it would help your case if you showed them similar 
"standards" from ISO, NIST, etc? You could always call the credit card 
companies and ask for that explanation in writing...

Good luck.

- Rich

 



Laurin Buchanan <buchanal@mscdirect.com> 
10/18/2005 05:29 PM

To
"'security-management@securityfocus.com'" 
<security-management@securityfocus.com>
cc

Subject
PCI  - encryption requirements






Greetings, all,

A question has arisen and, like all the other posts here, I hope someone
might be able to assist me.  :>)

In the new PCI Data Security Standard for credit cards, the documentation
indicates a requirement for "strong encryption such as Triple-DES 128-Bit 
or
AES 256-bit", but no additional information seems to be provided.  My
explanations about strong encryption meaning strong algorithm (no
significant know weaknesses), long key length and appropriate key 
management
schemes are not going far.  I believe they want to see it in black and 
white
for themselves, as I have received a request to locate a definitive
"approved" list and/or a "not approved" list of algorithms for what
constitutes strong encryption - does anyone know of such a list published 
by
Visa or Mastercard??

Thanks in advance,

Laurin Buchanan, CISSP
Information Security 
MSC Industrial Direct
v: 516.812.1358




This e-mail is intended for the use of the addressee(s) only and may 
contain
privileged, confidential, or proprietary information that is exempt from
disclosure under law. If you are not the intended recipient, please do not
read, copy, use or disclose the contents of this communication to others.
Please notify the sender that you have received this e-mail in error by
replying to the e-mail. Please then delete the e-mail and destroy any 
copies
of it. Thank you.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Rule management process, David Lawson
Next by Date:  Re: Top Information Security Management Challenges in the Enterprise Today?, Graciela PATARO
Previous by Thread:  RE: PCI - encryption requirements, Brad Bemis
Next by Thread:  Re: Top Information Security Management Challenges in the Enterprise Today?, Graciela PATARO
Indexes:  [Date] [Thread] [Top] [All Lists]