> "While there is no evidence that passwords and credit card information have been compromised, with the state of encryption cracking, it should only be a matter of time (and horsepower)."
Um. What? Assuming that a PCI-compliant level of encryption was used, "matter of time" is "heat death of the universe" if you don't have the encryption keys.
PCI-compliance really isn't a standard anyone should be shooting for. Use good security measures, not compliant ones. PCI is for enterprise and government agencies who keep wondering why they get compromised by 14 year-olds running metasploit. Yes, you have to be compliant. No, you should not think 'compliant' is in any way synonymous with 'secure'.
Exactly. When we last went through our PCI compliance rigamarole, they told us if anyone ever told us their CC number over the phone we were to open a text editor on our machines, type it without saving and then close it without saving when done. Apparently our writing on a physical notepad and destroying the piece of paper when done with it was not secure enough, so we had to introduce the possibility of keyloggers to our process.
Don't you have to type in the number anyway? It sounds like a keylogger would just get it a little later if you wrote it down on paper first.
One potential reason it's preferable to use an innocuous, generic text editor is the potential supposition by an attacker that they only need to infect and/or monitor the card processing application. If someone spreads a malicious update that has a built-in keylogger only for that application, for instance, copy+paste from the non-infected program would stop it from recording the data.
Though I think that's stretching it a bit. Maybe your auditors encountered something similar previously?
We had a front desk that would take calls and pass info along to the appropriate staff (on a different, largely segregated network). We don't want people emailing CC numbers or any customer data, really, internally, so it would be passed along via a note. But these cases rarely ever came up. We work with transaction numbers and 99% of staff has zero reason to know any credit card information.
It was something the auditors just brought up on their own, so yeah, I'm assuming they'd run into it before.
The no paper rule isn't protecting against outside hackers, but from your own employees. Many call centers now have a strict no paper/no cellphones policy because the employees liked stealing CC numbers.
You don't just "break the encryption algorithm". If the people holding the database can get through AES-256 or 128-bit triple DES, the internet as a whole has far bigger problems than Steam's database being compromised.
This isn't CSI. You don't just throw encrypted text at an implausibly attractive IT guy and wait for him to furrow his brow, declare that it's military-grade encryption that will take him a little while, and then have him decrypt it by the end of the next commercial break. PCI-compliant encryption is the sort of thing that, barring incredible leaps in technology or the discovery of a significant algorithmic weakness, will never be crackable in our lifetime.
Keep in mind he was referring to credit card information, not the credit card number. He mentions this here: "We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked." By credit card information, he's referring to address and name, for example, which, at last check (earlier this year) didn't necessarily require encryption.
That the information had encryption is a good sign.
Um. What? Assuming that a PCI-compliant level of encryption was used, "matter of time" is "heat death of the universe" if you don't have the encryption keys.