Probably out-of-scope for this list but, if the process is automated you'd want to reduce the number of people with access to the keys to only staff with need-to-know. Usually that translates to IT support / administrators. Beyond that safeguards against people (specifically administrators) cannot be technical controls. They have to be policies, procedures, and monitoring/audit. You should demonstrate that:
- You are doing background checks against employees with access to the keys - Those background checks look at issues like debt - You have security policies and procedures that dictate use of well-known security best practices - You have a security awareness program that ensures that employees are reminded of best practices - You keep a log of whoever is logging into the system to access the key You just have to trust your employees at some point. None of this mitigates a rogue insider with access to the keys. -Farhan On Wed, Nov 9, 2016 at 11:16 AM, Mike Schleif <m...@mdsresource.net> wrote: > During our current annual PCI DSS audit, our auditor complains that a > human being can access the company's private key and, thus, a human being > can decrypt sales files containing credit card information. > > All production processes are fully automated and run as non-privileged > user. > > We use GPG encryption for all file exchanges between this company and > banks, and between vendors/clients and this company. The latter is the > issue. > > What can be done about this? > > Please, advise. Thank you. > > ~ Mike > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > >
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
