On 24 January 2012 14:18, David Freedman <[email protected]> wrote:
> I love Robin's point about being concerned with the assessor's abilities > to explain why something is in scope and what is considered out of scope. > We have recently gone through our yearly PCI compliance 2.0 and there was > a big debate over what was in scope due to the differences between last 4 > of a PAN and full track data. > > One place I've found that isn't always automatically considered in scope is log servers. People turn on full logging and the CC data gets sent off to a separate machine then they forget to turn it off or to clear it down later. Also backup locations, the SQL server either generates a SQL dump or a binary backup of all the data and that is passed to a separate machine, that machine isn't in the normal flow of data so people forget about it. Robin Tony - how did the SIG work out? Did it provide > solid compensating controls for the airlines? I mean this with honest > curiosity as I think it is interesting that there are some airlines that > are not PCI compliant. > > >> >> On Tue, Jan 24, 2012 at 7:56 AM, Tony Turner <[email protected]>wrote: >> >>> Many airlines are not PCI compliant. There are complexities to their >>> business model with airports, common use platforms and travel agents that >>> create significant difficulties. This was why we created an informal SIG >>> for Air Travel PCI. Bottom line, don't assume. >>> >>> >>> Sent from Yahoo! Mail on Android >>> >>> ------------------------------ >>> *From: *Scott Rosenthal <[email protected]>; >>> *To: *PaulDotCom Security Weekly Mailing List < >>> [email protected]>; >>> *Subject: *Re: [Pauldotcom] CC numbers stored on planes >>> *Sent: *Tue, Jan 24, 2012 12:42:11 PM >>> >>> Hi Robin, here in the states many if not all of the airlines are >>> required to be PCI compliant. That being said those devices should be >>> considered in scope by the company that is performing their assessment. If >>> they are truly PCI compliant, all of the credit card numbers stored on >>> those devices should be encrypted. I hope that helps. >>> >>> Scott >>> >>> On Mon, Jan 23, 2012 at 10:13 PM, Robin Wood <[email protected]>wrote: >>> >>>> I've been on quite a few planes where the duty free and the bar allow >>>> people to pay by credit card. I'd guess the data is stored and >>>> downloaded to be processed at the end of each flight, if so, that is a >>>> great target for card thieves. I wonder how many are actually properly >>>> protected? >>>> >>>> Robin >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>>> >>> >>> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
