When I went thru PCI the first time .. we were talking about putting locks on the machine doors. Then we had a conversation with a VISA guy... He knew exactly what Crypto Express cards were.. and was much more understanding.
Rob. On Apr 25, 2013 2:14 PM, "Phil Smith" <[email protected]> wrote: > Rob Schramm wrote: > >So.. even though the protected key starts with the Crypto Express, it > >wouldn't pass an audit for protection of card data? > > >I had thought that the key never appears in the clear at any time with > >protected key. Seems like as long as it never is in the clear that it > >would pass muster. Even with the more esoteric attacks.. if all they get > >is the encrypted key... what does it buy them? Or am I missing something > >obvious? > > Somebody is, but it isn't you. Remember that auditors typically aren't > technicians. And their model is PCs. So they get told, "Stuff gotta be done > in an HSM to be considered secure". That's the beginning and the end of the > conversation. Protected Mode isn't entirely in an HSM (which is what the > CEX is), so they don't buy it. > > Part of their job is not to believe the grizzled veteran who says "This > stuff IS secure". Part of their job might should be-but isn't-to prove that > he's wrong. But instead, it's just "Nope, doesn't fit the rule, can't do > it". > > Disclaimer: Not all QSAs are this simplistic. But that's the case that > causes the most problems. > > ...phsiii > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
