Professional Documents
Culture Documents
Jonathan Care
Paresh Deshmukh
Global Security Consulting
Everything from a legitimate work-around for a security challenge to something that the CIO wants to achieve
+ Now:
Meet the intent and rigor of the original PCI DSS requirement Provide a similar level of defence as the original PCI DSS requirement Be above and beyond other PCI DSS requirements (not simply in compliance with) Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement
Harder to do Cost more money in the long run than addressing the original issue
+ Not a permanent solution for a compliance gap + There is no compensating control for storing sensitive authentication data after authorisation + While there is no defined lifespan for compensating controls, they must be reviewed as part of the annual assessment
Does it (still) meet the four criteria? Does the original constraint still exist? Is it still effective in the current security threat landscape?
Does this meet the criteria for compensating controls? Am I willing to put my name to this?
Just do it Its a mainframe RAID-5 Transposing digits in PAN Disk only encryption inside the data centre without additional user credentials Transparent encryption appliances
+ BUT ALSO
+ By the way, encryption is not the problem with Requirement 3 key management is!
Using COBOLs Random number generator to generate 16 digits (128 bits) leads to
Lack of randomness due to entropy issues Elimination of keyspace leading to only 53 bits of possible key material
Financial Institution
Corporate Offices
Application Servers
Database Servers
Mainframe
+ Risks:
Card numbers are not encrypted at the point of sale Routers/Switches can redirect or span traffic for capture
Associate
Customer
Now encrypted at the point of sale using Industry Accepted algorithms Stays encrypted until passed to financial institution
Financial Institution
Corporate Offices
+ PANs are replaced with reference numbers when transaction returns + Mitigated risks by rendering the data unreadable
Application Servers
Database Servers
Mainframe
Customer
Can you truncate PAN data? Does your ecommerce site really need to be in the payment flow?
Compensating controls may help you lower the bar of compliance in the short term, but remember, only you can prevent a security breach.
**Gartner Toolkit Presentation: PCI Compliance Is Hard to Achieve but Worthwhile - 4 May 2007
10
Confidential and Proprietary
10
11
Confidential and Proprietary
11