AudiTalk

[raetheme]

I am part of an audit reviewing controls enabling state agencies to be PCI DSS compliant and have run into an interpretation issue. We have contacted the PCI Security Council several times with no responses; we have also contacted several of the Council's Qualified Security Assessors but only one would answer-others told us since we aren't clients, they won't answer our questions. Here's the issue: The standard states any data transferred through an open, public communications network must be encrypted; however it does not separate between analog (PSTN) and digital (IP based). This relates to a merchant's point of sale device (usually a pin entry device). It also does not state if an analog (PSTN) connection is considered a point-to-point connection in which case encryption would not be required. Has anyone out there had experience in interpreting this issue and, if so, what advice can you offer?

Thank you for you help!

[suresh_mohan7]

This control primarily focuses on card holder data which needs to be encrypted during transmission and storage on system components. This means that card holder data should be encrypted if its sent via email or to be encrypted if stored on a system. Your focus should be on to check if any system containing cardholder data is encrypted and all emails containing card holder data should be encrypted.

I hope i have answered your queries.
Regards,
SM.