Secure Payments, PCI DSS, Regulatory Compliance Blog

Archive for the ‘Encryption’ Category

Nevada Mandates PCI DSS

Monday, June 22nd, 2009 Posted in Compliance, Encryption, Government, Legislation, PCI DSS | No Comments »

As we've been expecting for some time, states are beginning to take action with respect to mandating PCI DSS. The trend began with Minnesota's Plastic Card Security Act, which prohibited the storage of sensitive authentication data. While not ...

Is this PAN data?

Thursday, January 24th, 2008 Posted in Compliance, Encryption | No Comments »

There is an excellent conversation going on in the PCI Forum about the definition of 'cardholder data'.  This thread gets into the very gray areas of terminology and definitions. Cardholder Data most certainly includes the PAN, but what if you begin ...

Secure hashing of PAN requires salt

Friday, December 28th, 2007 Posted in Encryption | 9 Comments »

One of the topics that always comes up (as it has in the forum) is that of how to satisfy the "strong one-way hash functions" aspect of PCI DSS requirement 3.4. We discussed the alternative to encryption, secure hashing, earlier this ...

Database encryption?

Monday, August 20th, 2007 Posted in Encryption | 14 Comments »

Troy emailed to ask: We have been looking at database encryption as it applies to PCI Compliance in the United States. We have been told that we must encrypt the credit card numbers as they are stored in our SQL Server ...

Audio files containing credit card data

Monday, August 20th, 2007 Posted in Encryption, PCI DSS | 9 Comments »

I thought normal spam was bad, but now we get PCI specific spam!  Companies actually try posting press releases into the comment sections of various posts.  Sheesh. One person emailed asking about how to address audio recordings that could contain credit ...

Understanding Compensating Controls

Thursday, June 21st, 2007 Posted in Compensating Controls, Encryption | 5 Comments »

Mike Rothman of Security Insight regularly links to our blog so we figure it's time we return the favor in an article on compensating controls. I should first point out that we have written on PCI compensating controls in ...

Does The Right Hand Know What the Left Hand Is Doing?

Friday, June 8th, 2007 Posted in Card Brands, Encryption, Merchant, PCI DSS, Point of Sale, Service Provider, Third-Parties | 3 Comments »

According to Digital Transaction News, Visa USA is ready to introduce account-level processing (ALP). “Visa claims ALP will allow smoother transitions to new cards for cardholders, and will let merchants, in partnership with issuers, design more effective rewards programs.” Sounds good ...

Hardware Security Modules: part II - why do I need an HSM?

Friday, May 11th, 2007 Posted in Encryption, PCI DSS | 4 Comments »

History HSMs have been around for a number of years, but were not an immediate commercial success. Eracom produced an HSM as early as 1983, about which I can find little detail, but am assured that it was secure, tamper-proof, used ...

Hardware Security Modules: part I - the basics

Thursday, May 10th, 2007 Posted in Encryption | 7 Comments »

HSMs and PKI are pretty big subjects, and putting every piece of information about them into a blog post would make it fairly unreadable. What follows is therefore a basic primer of information you will need to understand before I ...

Encryption for PCI Compliance

Tuesday, May 1st, 2007 Posted in Encryption, PCI DSS | 30 Comments »

Although we have discussed encryption and the PCI requirements before, many people still do not understand how to properly implement secure encryption systems. So, this post is aimed to make this as simple to understand as possible by answering ...
« Previous Entries