1 min read

What The CIA WikiLeaks Dump Has In Common With PCI Compliance

Featured Image

In recent news, WikiLeaks exposed a huge trove of CIA documents.  Journalists and bloggers will of course have a field day with this and the general public will be spectators to another ongoing drama. From our perspective, thankfully, it sounds like WikiLeaks intends to work with vendors to fix vulnerabilities which will hopefully spare everyone from a shooting gallery of zero-day exploitation.

WikiLeaks and PCI Compliance

We, like many of you, were curious. We wondered what useful things might be gleaned from this.  In particular, how might PCI DSS, PA-DSS, PIN, and P2PE guidance hold up against the CIA’s guidance? What we found interesting was that after casting off the spy craft stuff like misdirection, misattribution, and uber-stealthy techniques, what was left could easily be taken from a PCI compliance and best practices document:

  • Don’t use proprietary crypto
  • Don’t use deprecated crypto e.g. SHA-1
  • Don’t rely solely on SSL/TLS
  • Don’t write plain text to disk
  • Don’t keep data in memory longer than needed
  • Do use end to end encryption
  • Do compress data prior to encryption
  • Do use standardized crypto libraries
  • Do use strong crypto like AES 256 in an appropriate operational mode
  • Do use strong HMAC’s and Hashes e.g. SHA-256 or better
  • Do use HMACs not hashes for integrity
  • Do use strong key management
  • Don’t use asymmetric crypto for bulk data encryption
  • Do use asymmetric crypto to exchange secret keys
  • Do use a good source of entropy for key generation
  • Don’t reuse keys for different purposes
  • Don’t use related keys
  • Do securely delete data from disk
  • Do testing against the requirements of best practice
  • Do testing on all supported program variants

Learn more

PCI Compliance & Why You Need to be Compliant

Getting paid is just as important as PCI compliance. Businesses of all sizes rely on cash flow to effectively manage business operations. To ensure...

Read More

1 min read

Why POI Tamper Inspections are so Important

It is amazing to see how many organizations take things for granted in their environment. In the video below, you can see a skimmer device installed...

Read More

This Week's [in]Security - Issue 266

Welcome to This Week’s [in]Security. PCI and payments: Skimmers. Payments: New breaches: Anonymous, DeFi, Ikea. New Ransomware, Major outages,...

Read More