Re: [U2] Credit Card numbers in your database
I'm attending a PCI conference next week... I'll try to remember to ask that question. -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Wjhonson Sent: Friday, April 20, 2012 12:19 PM To: u2-users@listserver.u2ug.org Subject: Re: [U2] Credit Card numbers in your database No one addressed this from the point of actual experience, so I think we can probably assume that no one has actually scrubbed old back up media. Just wanted to make sure I wasn't alone in thinking that wasn't a necessary step. ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
Re: [U2] Credit Card numbers in your database
No one addressed this from the point of actual experience, so I think we can probably assume that no one has actually scrubbed old back up media. Just wanted to make sure I wasn't alone in thinking that wasn't a necessary step. ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
Re: [U2] Credit Card numbers in your database
Hi Carl, The document appears to be referring to current backups, not old backups. Moving forward, you do need to have your data encrypted on tape, but if you always encrypt the data at rest then this isn't an issue. Talking to your QSA to make sure you are meeting PCI requirements for your old backups is the best way to be sure. Tom RATEX Business Solutions -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Carl Dula Sent: Thursday, April 19, 2012 6:17 AM To: u2-users@listserver.u2ug.org Subject: Re: [U2] Credit Card numbers in your database It appears this list will not allow me to post an attachment, so please take a look at the following to answer your question on tape. https://www.pcisecuritystandards.org/security_standards/documents.php?assocation=PCI%20DSS To see the document (PCI DSS v2.0) you will have to agree to the license. Then download and take a look at both pages 31 and 67. Also lots of other good info in this document and on this site. hope that helps! -- Carl Dula Voice: 973-227-8440 X111 Pulsar Systems, Inc.Fax: 973-227-8440 271 US Highway 46, STE H209 email:c...@pulsarsystems.com Fairfield, NJ 07004-2474http://www.pulsarsystems.com ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
Re: [U2] Credit Card numbers in your database
It appears this list will not allow me to post an attachment, so please take a look at the following to answer your question on tape. https://www.pcisecuritystandards.org/security_standards/documents.php?assocation=PCI%20DSS To see the document (PCI DSS v2.0) you will have to agree to the license. Then download and take a look at both pages 31 and 67. Also lots of other good info in this document and on this site. hope that helps! -- Carl Dula Voice: 973-227-8440 X111 Pulsar Systems, Inc.Fax: 973-227-8440 271 US Highway 46, STE H209 email:c...@pulsarsystems.com Fairfield, NJ 07004-2474http://www.pulsarsystems.com ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
Re: [U2] Credit Card numbers in your database
You need to talk to your QSA, our QSA is great because we can ask him questions anytime and he doesn't charge for each question we ask. He helps us make decisions about our products that eases the recertification process. We only pay every 3 years for our PCI PA-DSS certification. It is well worth the investment! We know we are offering solid PCI PA-DSS solutions to our customers. As I understand it, you are responsible to keep your backups very secure, and dispose of the backups in a secure manner (bulk eraser for tape backups?). For disk backups, you should encrypt the backup and securely delete when you no longer have a need. You should have an auditable means of tracking access to your backups, especially if it is easy to take the backup off-site. I don't believe you are required to restore the backup, encrypt the data, then cut a new backup. One word of caution, make sure you have the encryption key secured for the backups. When it comes to credit cards, it is best to always error on the side of caution. The consequences if you lose data is huge for you and your customers. Good luck, PCI is real "fun"! Tom RATEX Business Solutions -Original Message- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Wjhonson Sent: Wednesday, April 18, 2012 5:27 PM To: u2-users@listserver.u2ug.org Subject: [U2] Credit Card numbers in your database Probably every company has gone through adding more stringent rules to the use of credit cards in your database. But surely no one has actually gone back to their old backups to "cleanse" them ? Does anyone think that's really part of the PCI DSS we're supposed to be following? We have backups going back umpteen years ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
[U2] Credit Card numbers in your database
Probably every company has gone through adding more stringent rules to the use of credit cards in your database. But surely no one has actually gone back to their old backups to "cleanse" them ? Does anyone think that's really part of the PCI DSS we're supposed to be following? We have backups going back umpteen years ___ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
