PCI DSS compliance

Wed Nov 9 21:54:28 CET 2016

Probably out-of-scope for this list but, if the process is automated you'd
want to reduce the number of people with access to the keys to only staff
with need-to-know. Usually that translates to IT support / administrators.
Beyond that safeguards against people (specifically administrators) cannot
be technical controls. They have to be policies, procedures, and
monitoring/audit. You should demonstrate that:

   - You are doing background checks against employees with access to the
   keys
   - Those background checks look at issues like debt
   - You have security policies and procedures that dictate use of
   well-known security best practices
   - You have a security awareness program that ensures that employees are
   reminded of best practices
   - You keep a log of whoever is logging into the system to access the key

You just have to trust your employees at some point. None of this mitigates
a rogue insider with access to the keys.

-Farhan

On Wed, Nov 9, 2016 at 11:16 AM, Mike Schleif <mike at mdsresource.net> wrote:

> During our current annual PCI DSS audit, our auditor complains that a
> human being can access the company's private key and, thus, a human being
> can decrypt sales files containing credit card information.
>
> All production processes are fully automated and run as non-privileged
> user.
>
> We use GPG encryption for all file exchanges between this company and
> banks, and between vendors/clients and this company. The latter is the
> issue.
>
> What can be done about this?
>
> Please, advise. Thank you.
>
> ~ Mike
>
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161109/f72bcf2b/attachment.html>