PCI DSS compliance
farhanible at gmail.com
Wed Nov 9 21:54:28 CET 2016
Probably out-of-scope for this list but, if the process is automated you'd
want to reduce the number of people with access to the keys to only staff
with need-to-know. Usually that translates to IT support / administrators.
Beyond that safeguards against people (specifically administrators) cannot
be technical controls. They have to be policies, procedures, and
monitoring/audit. You should demonstrate that:
- You are doing background checks against employees with access to the
- Those background checks look at issues like debt
- You have security policies and procedures that dictate use of
well-known security best practices
- You have a security awareness program that ensures that employees are
reminded of best practices
- You keep a log of whoever is logging into the system to access the key
You just have to trust your employees at some point. None of this mitigates
a rogue insider with access to the keys.
On Wed, Nov 9, 2016 at 11:16 AM, Mike Schleif <mike at mdsresource.net> wrote:
> During our current annual PCI DSS audit, our auditor complains that a
> human being can access the company's private key and, thus, a human being
> can decrypt sales files containing credit card information.
> All production processes are fully automated and run as non-privileged
> We use GPG encryption for all file exchanges between this company and
> banks, and between vendors/clients and this company. The latter is the
> What can be done about this?
> Please, advise. Thank you.
> ~ Mike
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnupg-users