If that were only true,
PCI actually states that requirement only applies when the data is sent over an OPEN or wireless networks.

I don't know many that would be using HTTP over the internet, but the clause exists to say that if you do all data must be encrypted. This is to protect against siffing and hijacking, but your broad assertion that everything needs encrypting is actualy a small corner case.

Most of these devices are not running wireless or route over the internet without some form of an encrypted tunnel(think 3DES router B2B connections)
Plenty small mom and pop shops also do direct modem dial ups, but the devices effectively also encrypt the temporary pipe.

For private PCI compliant networks requirements exist to encrypt a smaller subset of data including the following;
Cardholder Data defined as: (All can be stored, but the PAN must be stored in an unreadable format)
- Primary Account Number (PAN
- Card Holder Name
- Service Code
- Expiration Date

Data which Must never be stored and must always be encrypted is defined as follows:
  - Full Magnetic Stripe
- CAV2
- CVC2
- CVV2
- CID
- PIN
- PIN Block

And Lastly
PCI requires operators "Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.).
And have a security policy which states that "unprotected PANs are not to be sent via end-user messaging technologies." with or without encryption.

See Pages 8, 35, 36, PCI 2010 version 2.0 at https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

I should have been a slight bit more informative RSA is from Feb 14 to the 18th.

This was just a dry run prep. Kind of a sound test and the audience I mentioned was composed of a half dozen geeks I've known for years. A small audience and it was appropriate to be on line and get patches applied, the demo requires it.

At presentation time, I'll be host only.

Hey, don't vote for the bean just cause its Dark roasted.

Ubuntu, change you can bean in.

Wrong.
That fact that the zip is used to verify the transaction is utterly irrelevant to PCI. Not cool, and by that logic if the stripe, pin card number expiration and CVC were used to verify the transaction could they also be un-encrypted?

The Zip is either public or as the court ruled, non public and the customer has a right to protect his or her personal information, and how do you propose business use the Zip, which they will do and bide by the law, which they will do.

In IT, we call this an opportunity to have a mitigating control and "protect" the customers right by encrypting the data from prying eyes.

The fact that zip is a crappy piece of data to be used to do a "something you know" validation and therefore must be the authorized holder of the card seems to have gone completely unnoticed.

lol nice

Forgot to mention, I was running the latest Oracle Virtual box 4.0.2 r69518. Apparently, the impact was not restricted to as as the OP implied to just VM-Ware

Mod this coward up 5 points. Dammed if he doesn't look fleshy and pink.

Just wrong and so many levels.

Here is my personal relevant experience related to the botched patch.

Booted up, let the patches roll in(First mistake), but we have policy to keep the honeypot patched you know.
So nothing, no problem, did a normal and of day reboot.

On the restart before login gina was presented, I get the vile your not Genuine dialog, had to click on "correct it now"
That took me to a Microsoft page stating that I should download a program and run it to perform Genuine validation.
Curious, I opened the Control panel system panel and it shows "Genuine" ok.

Then, wait for it, Microsoft Security Essential icon is blood red and come to discover it had dropped the pants down around ankles and had due to the Fo Genuine violation instantly and totally been disabled.

Now I'm caught literally in public with my virtual pants down, no firewall, on a hostile network, no av, ankles getting warmer but I have to do another dammed required Genuine validation, so I download the same program and poof the moment of drama had passed.

I felt extra soiled by the humiliating experience. This all happened in-front of an audience while preparing a demo for the SFO RSA shew.

Thinking some one at Microsoft needs to use the new iPhone confession app cause they can't seem to budget for sacrifice of the requisite number of chikenz any more.

The extremist in the media in collaboration with sheep voters, progressive socialist unions new world order folks.

Some seem to think the 3rd party is an expedient low effort choice, all it requires is absolute commitment to apathy.

These people are not free, they vote as a mindless block and cripple any real democratic debate.

A just as relevant question is, If half the 890 *nix variants disappeared tomorrow, would anyone notice?

Interesting, if upheld, this could push the PCI DSS Council to add Zip to the list of non public information that must be encrypted.

And that would effectively mandates QSA's find every gas station in California in violation of the next wave of PCI DSS criteria.

The expense of coding testing, QA'ing, promoting encryption on Zip (at rest and in transmission) could be high as compared the moderate to minor risk that companies are stalking their customers using Gas Station data.