PCI DSS compliance

Mike Schleif mike at mdsresource.net
Thu Nov 10 15:13:49 CET 2016


Yes, our company has been doing all four of your suggestions for years,
including written policies and procedures, and we passed all prior years of
PCI DSS auditing without incident.

Near as I can tell, nothing has changed in this regard in PCI DSS standards
in the last twelve months, to which our auditor agrees.

You can find his non-member post here:
https://lists.gnupg.org/pipermail/gnupg-users/2016-November/057009.html

He says that PGP has some mechanism that satisfies this requirement. I
haven't touched PGP in more than four years. Do they have something new?

~ Mike


On Wed, Nov 9, 2016 at 2:54 PM, F Rafi <farhanible at gmail.com> wrote:

> Probably out-of-scope for this list but, if the process is automated you'd
> want to reduce the number of people with access to the keys to only staff
> with need-to-know. Usually that translates to IT support / administrators.
> Beyond that safeguards against people (specifically administrators) cannot
> be technical controls. They have to be policies, procedures, and
> monitoring/audit. You should demonstrate that:
>
>    - You are doing background checks against employees with access to the
>    keys
>    - Those background checks look at issues like debt
>    - You have security policies and procedures that dictate use of
>    well-known security best practices
>    - You have a security awareness program that ensures that employees
>    are reminded of best practices
>    - You keep a log of whoever is logging into the system to access the
>    key
>
> You just have to trust your employees at some point. None of this
> mitigates a rogue insider with access to the keys.
>
> -Farhan
>
>
> On Wed, Nov 9, 2016 at 11:16 AM, Mike Schleif <mike at mdsresource.net>
> wrote:
>
>> During our current annual PCI DSS audit, our auditor complains that a
>> human being can access the company's private key and, thus, a human being
>> can decrypt sales files containing credit card information.
>>
>> All production processes are fully automated and run as non-privileged
>> user.
>>
>> We use GPG encryption for all file exchanges between this company and
>> banks, and between vendors/clients and this company. The latter is the
>> issue.
>>
>> What can be done about this?
>>
>> Please, advise. Thank you.
>>
>> ~ Mike
>>
>>
>>
>>
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161110/eb172d15/attachment-0001.html>


More information about the Gnupg-users mailing list