Section 3.7 of Visa's CISP Security Audit Procedures and Reporting document (commonly referred to as Visa's "dirty dozen" because there are 12 main sections) states that stored cardholder data should be rendered unreadable.
They list a number of approaches, such as one-way ciphers (specifically excluding MD5), truncation, simple ciphers, index tokens and PADs, and "strong cryptography, such as Triple-DES...." They do NOT list specific products, only methods. It's up to you to choose the products, and I can't see how you'd be faulted for choosing OpenSSL. Keep in mind that what Visa does is look at a number of large transaction-volume organizations to get a sense of what people do, and distill that down into a set of "best practices." They're not out to steer you away from a product that might accomplish the goal they intend you to meet. On 8/8/03 10:20 AM, "Waitman C. Gobble, II" <[EMAIL PROTECTED]> wrote: > >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Shawn P. Stanley >> Sent: Friday, August 08, 2003 8:03 AM >> To: [EMAIL PROTECTED] >> Subject: Re: Visa CISP >> >> >> What they're trying to get at is that you should be using >> strong cryptography, but pay attention to any export >> restrictions and patents/licensing. They don't want someone >> to be able to say, "Sure it's illegal, but Visa made me do it." >> >> Also, they'd rather keep your business instead of seeing you >> shut down due to prosecution for infringement. >> >> It's just a cover-your-ass statement. >> > > > > Thank you, Shawn, I appreciate your reply. > > I was concerned they were getting at "product xyz is certified to > conform to all applicable international and national standards as > well as legal and regulatory controls... Click here to buy." > > For sure I'll claim OpenSSL "conforms", as I believe it does, however is > > there available documentation to back me up? > > If it is truly a cya statement, then all should be well. > > Take care, > > Waitman Gobble > EMK Design > Telephone (714) 522-2528 > Toll Free (877) 290-2768 > http://emkdesign.com > > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
