Well, it makes sense to me that it specifies PAN data (and probably CVV2, pins, yadda). I should really take the time to read the PCI-DSS, but I have the attention span of a newborn puppy. The only requirement is really for "strong cryptography" which, in the context of PKI, is 1024 bit or greater.
Mostly I think these standards are written in a way that is just vague enough to make my life a living hell. I really wish "when in doubt, encrypt" would be codified in everything so I could recover a measurable portion of my lifespan from all the meetings. Generally, I really like TLS. However, FTPS is (by far) the worst mechanism to come out of the last decade. If you don't care about providing your own certificate, it's pretty simple. But when you depend on FTP+TLS, life becomes miserable because it's neither trivial nor commonplace. </Rant> Yours, Scott On Tue, Jan 5, 2010 at 7:06 AM, Hal Merritt <[email protected]> wrote: > Want more weird? > > Only TLS/SSL is mentioned in the PCI DSS (albeit in a context applicable > only to PAN's, not data in general). > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] On > Behalf Of Scott > Sent: Monday, January 04, 2010 3:50 PM > To: [email protected] > Subject: Re: PCI and Auditors perceptions thereof > > Packet inspection? Weird. > > You can, with FTPS, open up the control channel so the Firewall can monitor > the control connection (port 21), which lets it dynamically assign ports > that the server/client negotiate for the data connection (aka port 20). > SFTP (SSH) is entirely encrypted and cannot have its activity monitored. > > Scott > > On Mon, Jan 4, 2010 at 1:01 PM, Hal Merritt <[email protected]> > wrote: > > > Trying to do some due diligence in planning some data transfers and > getting > > really confused. > > > > Many seem to be saying that all FTP traffic has to be encrypted to meet > PCI > > standards. And yet I cannot find any such statement in the PCI standards. > > But I did find a requirement for firewall packet inspection which, I am > > told, is impossible if the traffic is encrypted. Did I read that right? > > > > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > NOTICE: This electronic mail message and any files transmitted with it are > intended > exclusively for the individual or entity to which it is addressed. The > message, > together with any attachment, may contain confidential and/or privileged > information. > Any unauthorized review, use, printing, saving, copying, disclosure or > distribution > is strictly prohibited. If you have received this message in error, please > immediately advise the sender by reply email and delete all copies. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
