Comment Re:PCI in California (Score 1) 461
If that were only true,
PCI actually states that requirement only applies when the data is sent over an OPEN or wireless networks.
I don't know many that would be using HTTP over the internet, but the clause exists to say that if you do all data must be encrypted. This is to protect against siffing and hijacking, but your broad assertion that everything needs encrypting is actualy a small corner case.
Most of these devices are not running wireless or route over the internet without some form of an encrypted tunnel(think 3DES router B2B connections)
Plenty small mom and pop shops also do direct modem dial ups, but the devices effectively also encrypt the temporary pipe.
For private PCI compliant networks requirements exist to encrypt a smaller subset of data including the following;
Cardholder Data defined as: (All can be stored, but the PAN must be stored in an unreadable format)
- Primary Account Number (PAN
- Card Holder Name
- Service Code
- Expiration Date
Data which Must never be stored and must always be encrypted is defined as follows:
- Full Magnetic Stripe
- CAV2
- CVC2
- CVV2
- CID
- PIN
- PIN Block
And Lastly
PCI requires operators "Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.).
And have a security policy which states that "unprotected PANs are not to be sent via end-user messaging technologies." with or without encryption.
See Pages 8, 35, 36, PCI 2010 version 2.0 at https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf