Pci DSS

[Fairlight]

On Wed, Sep 18, 2013 at 04:51:12AM +0000, Richard Kreiss thus spoke:
> If you do hold card holder information, that is the advantage of fp 5.6
> or higher field encryption. All of this data can be encrypted.  With 5.7
> full file encryption is available adding one more layer of protection
> from the outside.  You can encrypt one file or all of the files making it
> very difficult for someone not running your filepro to access your data.
> The encryption is tied to your license so even if someone had filepro
> they could not take your data and use it on their system.

Two things:

* MAC reprogramming
* Virtual Machine drive serial spoofing

Still think it's safe?

> Based on hacking reports, do you really want to trust your sensitive data
> to an outside source.  The banks and credit card companies don't exactly
> have a stellar reputation for protecting card holder information.

As I said in another reply, that's a bad joke...trusting PCI certification.
I wouldn't even necessarily take an ISO-certified system at face value
unless I know the admin and their habits.

Someone pointed towards masking the number onscreen.  You do realise that
this won't -really- protect the number from more than casually prying eyes,
right?

To wit, it's rather like Spotify, iTunes, et al., in the fact that in
order to use the data -somewhere- (anywhere) in a meaningful form, it must
be decrypted.  Even if you store it encrypted, it's still unencrypted in
memory while being used in a decrypted form, and can be -lifted- from
active memory during that time period.

This is exactly how you can use Audacity, Goldwave, or pretty much any
sound recorder to record encrypted music from Spotify, iTunes, or any other
service, or use something like FRAPS to capture DRM-protected video.  You
capture it at the decrypted level, during playback, when it -MUST- be
decrypted, standardised data to be of any use.  This is not a new
technique.  It's a proven weakness of any DRM format that the data must be
unencrypted at -some- point.  Some programs are better and minimising their
exposure than others, but all of them have the same inherent, base
weakness.

Your absolute best bet is to let a payment gateway (PayPal, Authorize.net,
Google, etc.) handle it, and make sure the numbers -NEVER- touch
your systems.  Offload that exposure to the payment gateway, and steer
clear of as much of the responsibility as possible.

mark->
-- 
Audio panton, cogito singularis.