Forgive me for I am not a security expert. However, I have been tasked with getting on-line giving implemented for our organization and am trying to find a workable solution that is PCI compliant for receiving donor info via email. Can anyone tell me if the latest version of gnuPG is PCI compliant? This is holding up the last stages of the implementation, so I am hoping to find an answer to this question ASAP.
Thanks in advance for any help.
you dont want to receive donatation information via email. The responsibility of protecting the information in an email is on the shoulders of the sender. Unfortunately most computer users are not savvy enough to install encryption software and use it properly.
I run a fund raiser each year and have two ways to receive funds… online shopping cart, or over the phone. Either way the actual credit card transaction is handled by another company and the PCI compliance rests on their shoulders. There could still be some merchant responsbilities, and I am trying to figure that out now.
You might take a look at this site for additional info on PCI… http://www.pcicomplianceguide.org/
Actually, the donors are not the originators of the email. Donation information is entered into a secure on line form and then our web hosts (who have a copy of our public key) put the information into an encrypted email and forward it to us…
From what I read in your email, it would seem that using GPG to un-encrypt should be perfectly acceptable. I was mainly concerned as our Web Hosts (who probably get a kickback) were adamant that we use PGP Desktop - a purchased piece of software - implying that we might be out of compliance if we used anything else. Now I think I am seeing that being compliant would not so much depend on the software we use for the encryption but rather on the whole process (our responsibility being mostly how we handled the information on our end once we unencrypted it).
If I am not understanding correctly, please do advise.
you are correct, PCI compliance does not require a specific software to be used.
It is more defining what you should do to protected you data environment, what should NOT be done (and when it has to be done, then why it is required and what you do to handle the risks).
So all your servers have to be configured/monitored in a PCI compliant way, and also all users with access to these systems.
If you email the credit card data to your office, then also your office must meet the PCI requirements.
Here in switzerland we have 2-3 solutions from PCI certified operators, where you yourself don’t have to be PCI certified, because the credit card informations are not entered on our own webpages, but are entered on a webserver of the operator which then also does handle the authorizations to the different credit and debit cards used in switzerland.
That way you can make you life much easier
A international operator of such stuff is for example worldpay (http://www.worldpay.com/)
They do a good job and let you sleep more easily. Fully complying with PCI is not a simple matter…
I agree, you don’t need to buy PGP over GPG to be compliant.
Where your compliance obligations come into play is how you are protecting the data that is sent to you once you have it on your system (as alluded to in the last reply from Andre)