David,
* David P. Quigley (dpquigl@tycho.nsa.gov) wrote:
> So the document I read is linked below [1].
Great, thanks again.
[agree with all the rest]
> It is definitely good to have a second opinion on this since I've just
> only started reading the PCI compliance documents. I'm definitely not an
> expert in PCI compliance but from what I've read there are definite
> benefits for using SEPG or PG-ACE with a special security module in
> making much stronger guarantees about who and what can touch the card
> data.
Indeed. The other nice piece about getting the opinion of Treat (or
others who have to deal with PCI) is that while the PCI documentation
says what you're supposed to do, the PCI folks also have auditing
requirments (as in, a third-party vendor has to audit your system, and
there are required scans and scanning tools, etc) which don't always
marry up to what they say they require.
Thanks!
Stephen
