Re: PCI Compliance

["Sheldon Malm" <smalm () ncircle com>]

If you have PCI compliance as a strategic project with executive support, it might be worth your time and money to have 
a certified QSA perform an assessment.  There is cost associated with it, but these are precisely the kinds of 
questions that they can address for you and you don't want to buy and deploy a technology on a best guess, only to find 
out later that it's non-compliant.

--------------------------
Sheldon Malm
Director 
Security Research and Development
nCircle VERT

Sent from my BlackBerry Wireless Handheld


----- Original Message -----
From: listbounce () securityfocus com <listbounce () securityfocus com>
To: security-basics () securityfocus com <security-basics () securityfocus com>
Sent: Wed Jan 09 15:35:31 2008
Subject: PCI Compliance

Hello all, need some opinions on PCI compliance.

The company I work for is trying to become PCI compliant by June 30...
we have a long way to go.

According to requirement 8.3 of the PCI DSS, two-factor authentication
is required for remote access.
I've been evaluating Aladdin's eToken product and have been impressed,
especially considering the cost.
My question is whether anyone has had experience with this product in
general or as it relates to PCI compliance.

The execs are concerned because they seem to be a smaller company
(perhaps not as reputable), but mostly because RSA is the only
two-factor auth solution they've heard of, so are hesitant to adopt an
alternative solution.

Thoughts, comments or concerns on this approach to complying with that
section of the PCI DSS would be appreciated.

Josh