|
|
|||||||
| [PCI-DSS] Requirement 3: Protect stored cardholder data Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending PAN in unencrypted e-mails. |
 |
|
|
Thread Tools | Search this Thread | Display Modes |
|
#11
07-23-2008, 05:59 AM
|
|||
|
|||
What to do if not disk encryption is used
There are many clients are not using disk encryption, but in SAQ or the audit procedures is not permitted the "Not Applicable" indication. So, what is the best option? a) check as compliant b) check as not compliant and write a comment on the "Special*" field.
Thanks! 
|
|
#12
08-02-2008, 09:16 AM
|
|||
|
|||
|
we are using NetAPP Decru Solution which is encrypting the Disks presented to the servers from HP EVA Storage ...
controlling the encryption and the accessing is being done by the Decru administrators who are using System Cards and username/password to access the decru system ... is this comply with Req. 3.4.1 ? If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local system or Active Directory accounts). Decryption keys must not be tied to user accounts.
|
|
#13
08-09-2008, 10:57 AM
|
|||
|
|||
|
DeCru
From what I understand, DeCru's solution does not encrypt hard drives. It's a transparent solution that goes in front of the protected resource/NAS and encrypts network/application traffic in transit.
I did look at their website, but unfortunately precise architecture or detailed deployment examples do not appear. You still need to encrypt local hard drives to meet 3.4.1, to mitigate the risk of theft and unauthorized local access. DeCru still adds value in ensuring you can only access the data at rest by using encryption keys that the DeCru appliance manages and perhaps you could compensate your way around 3.4.1 with stricter local access policies and physical security. Note that as DeCru encrypts everything going to and from the protected resource, you will need a backup system that supports this. You can't get around it with a locally attached encryption solution as this could still be storing cardholder data in clear text.
|
|
| Bookmarks |
| Thread Tools | Search this Thread |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| [PA-DSS] 2.4 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local user account databases). Decryption keys must not be tied to user accounts | admin | [PA-DSS] 2. Protect stored cardholder data | 0 | 03-18-2007 02:43 AM |
| [PA-DSS] 2.3 Render PAN, at a minimum, unreadable anywhere it is stored, (including data on portable digital media, backup media, in logs, and data received from or stored by wireless networks) by using any of the following approaches | admin | [PA-DSS] 2. Protect stored cardholder data | 0 | 03-18-2007 02:43 AM |
Linear Mode
