Actually the 2.0 specs don't allow disk storage at all for magstripe
-- you can keep cardholder data until auth. Since 1.2 specs are not
required until 1/1/12 and 2.0 another year ... I was pointing more to
the future (and had our software certified for 2.0 as 1.2 is only
good until 2013 and 2.0 is good till 2016 and I wanted to avoid
another audit so soon). Not knowing the nature of the data and
network setup makes it hard to answer definitively but if it is going
to be lying around, encrypting it first is, as I said, a good idea in
many cases. E
At 08:36 PM 6/7/2011, Dave Thompson wrote:
> From: owner-openssl-us...@openssl.org On Behalf Of Eric S. Eberhard
> Sent: Tuesday, 07 June, 2011 15:21
> I would point out in that last approach -- encrypting and sending un
> secure (which is a good idea in many cases) does have a few
> considerations. If the data is sensitive (like magnetic strip data
> from a credit card) this is completely NOT ALLOWED. PCI and PA-DSS
> won't allow it to hit the disk. If you do hit the disk and you care
> about security on either end, you also need a secure delete <snip>
To be exact, PCI DSS (and therefore PA-DSS) prohibits storing
magstripe, CVV2 and PIN "after authorization (even if encrypted)".
Authorization should always be real-time and thus there should be
no good reason to store on disk during auth, but it isn't specifically
prohibited. If you do store it, yes you will then need to wipe it.
But this is not specific to my last approach. The OP's question
seemed to be about files, and storing this data in a clear file
securely transferred with FTPS, SFTP, or such would be even worse.
> At 08:44 PM 6/6/2011, Dave Thompson wrote:
> >Another approach is to secure the files themselves,
> >rather than just the transfer. That is, encrypt and
> >perhaps sign the files when (or before) they are
> >placed on the sending system(s), transfer them
> >using plain FTP or HTTP or other, and decrypt and
> >perhaps verify them on the receiving system(s).
> >
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
Eric S. Eberhard
(928) 567-3727 Voice
(928) 567-6122 Fax
(928) 301-7537 Cell
Vertical Integrated Computer Systems, LLC
Metropolis Support, LLC
For Metropolis support and VICS MBA Support!!!! http://www.vicsmba.com
Pictures of Snake in Spring
http://www.facebook.com/album.php?aid=115547&id=1409661701&l=1c375e1f49
Pictures of Camp Verde
http://www.facebook.com/album.php?aid=12771&id=1409661701&l=fc0e0a2bcf
Pictures of Land Cruiser in Sedona
http://www.facebook.com/album.php?aid=50953&id=1409661701
Pictures of Flagstaff area near our cabin
http://www.facebook.com/album.php?aid=12750&id=1409661701
Pictures of Cheryl in a Horse Show
http://www.facebook.com/album.php?aid=32484&id=1409661701
Pictures of the AZ Desert
http://www.facebook.com/album.php?aid=58827&id=1409661701
(You can see why we love this state :-) )
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
