PCI DSS compliance

Kristian Fiskerstrand kristian.fiskerstrand at sumptuouscapital.com
Thu Nov 10 16:07:10 CET 2016

On 11/10/2016 03:50 PM, helices wrote:
> So would I!
> At this point, our company must achieve PCI DSS compliance before year end,
> and the road to that necessity leads through this auditor, who insists that
> PGP satisfies all requirements.
> There is no explanation that he shares with us.

I'd expect it being reference to shamir secret sharing scheme that I
believe formed part of PGP at some point, but haven't really looked into
PGP for a while. This would allow e.g split key in 5 parts and require 2
or 3 at the same time to access it. For the automated system, presumably
would require two administrators to set it up, and expectation that
nobody willfully modify the application or read the full private key in
memory for the regular operation, but at that point would hinder any one
admin to have access to the full key to use outside of the system.

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
Aut disce aut discede
Either learn or leave

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161110/7cb5de5a/attachment.sig>

More information about the Gnupg-users mailing list