[Owasp-pci-project] How Worthwhile is the Effort?

McGovern, James F (HTSC, IT) James.McGovern at thehartford.com
Wed Jun 3 15:38:57 EDT 2009 

 For this to work, the token would need to have other characterstics
such as one-time usage, good for a certain period, have the ability to
be validatable by others without leaking, somewhat opaque, etc.

-----Original Message-----
From: owasp-pci-project-bounces at lists.owasp.org
[mailto:owasp-pci-project-bounces at lists.owasp.org] On Behalf Of Brad
Andrews
Sent: Wednesday, June 03, 2009 3:32 PM
To: owasp-pci-project at lists.owasp.org
Subject: Re: [Owasp-pci-project] How Worthwhile is the Effort?



They would require some things to be done differently, but would remove
the danger of exposing the card number after authorization.

You would need to weigh it agaisnt the pain of making all the required
card number protection efforts.  That can be very large, even for
"simple" encryption!  Data at rest, in transit, etc.  What about
messaging queues and other such things, where things are written to disk
without anyone actively thinking about it.

Using a token would remove almost all of the need for some of this, at
least as far as CC#s go.

Do you disagree James?

--
Brad Andrews
RBA Communications
SANS/GIAC GSEC, GCFW, GCIH, GPCI


Quoting "McGovern, James F (HTSC, IT)" <James.McGovern at thehartford.com>:

>  Tokens would cause additional strain as not all processing is done in
> realtime. Much of IT is still batch.
_______________________________________________
Owasp-pci-project mailing list
Owasp-pci-project at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-pci-project
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************

More information about the Owasp-pci-project mailing list