> From: owner-openssl-us...@openssl.org On Behalf Of Eric S. Eberhard > Sent: Tuesday, 07 June, 2011 15:21
> I would point out in that last approach -- encrypting and sending un > secure (which is a good idea in many cases) does have a few > considerations. If the data is sensitive (like magnetic strip data > from a credit card) this is completely NOT ALLOWED. PCI and PA-DSS > won't allow it to hit the disk. If you do hit the disk and you care > about security on either end, you also need a secure delete <snip> To be exact, PCI DSS (and therefore PA-DSS) prohibits storing magstripe, CVV2 and PIN "after authorization (even if encrypted)". Authorization should always be real-time and thus there should be no good reason to store on disk during auth, but it isn't specifically prohibited. If you do store it, yes you will then need to wipe it. But this is not specific to my last approach. The OP's question seemed to be about files, and storing this data in a clear file securely transferred with FTPS, SFTP, or such would be even worse. > At 08:44 PM 6/6/2011, Dave Thompson wrote: > >Another approach is to secure the files themselves, > >rather than just the transfer. That is, encrypt and > >perhaps sign the files when (or before) they are > >placed on the sending system(s), transfer them > >using plain FTP or HTTP or other, and decrypt and > >perhaps verify them on the receiving system(s). > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
