I was watching the sky very closely last week and it looks like it is
in its place and will not fall after all. It's been more than a week
since the PCI 6.6 deadline date passed. Merchants and other institutes
try to do their best to meet the different requirements. Now, once this
milestone passed, we can focus on some other controversial topics, such
as section 3.4.
Requirement 3: is all about protecting stored cardholder data. The PCI text adds that
"Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities.
But then it adds:
The MINIMUM account information that must be rendered unreadable is the PAN. If for some reason, a company is unable to encrypt cardholder data, refer to Appendix B: "Compensating Controls for Encryption of Stored Data.
So, Appendix B adds a compensating control. The PCI standard is very straight forward and provides the listing of all necessary controls that can be used to compensate over encryption. Gartner published a research note in late 2006 that describes how solutions like SecureSphere can be used to compensate for encryption. (Database Activity Monitoring Is a Viable Stopgap to Database Encryption for the Payment Card Industry Data Security Standard (and Beyond). Gartner ID Number: G00141630).
I wonder why this topic did not receive the same level of public attention as WAF and Code Review for PCI 6.6: Two groups of security experts arguing about best practices with the assistance of the PCI assessors. If I can predict the future I'll say that we'll see more debates there...
Requirement 3: is all about protecting stored cardholder data. The PCI text adds that
"Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities.
But then it adds:
The MINIMUM account information that must be rendered unreadable is the PAN. If for some reason, a company is unable to encrypt cardholder data, refer to Appendix B: "Compensating Controls for Encryption of Stored Data.
So, Appendix B adds a compensating control. The PCI standard is very straight forward and provides the listing of all necessary controls that can be used to compensate over encryption. Gartner published a research note in late 2006 that describes how solutions like SecureSphere can be used to compensate for encryption. (Database Activity Monitoring Is a Viable Stopgap to Database Encryption for the Payment Card Industry Data Security Standard (and Beyond). Gartner ID Number: G00141630).
I wonder why this topic did not receive the same level of public attention as WAF and Code Review for PCI 6.6: Two groups of security experts arguing about best practices with the assistance of the PCI assessors. If I can predict the future I'll say that we'll see more debates there...
Leave a comment