Security Basics: Re: Database Encryption and PCI issue.

[amatachick () gmail com]

M Farid,

You might want to take another look at the Database requirements for PCI. They just changed the self assessment 
questionnaire on the 6th of Feb. I've had to go through the whole thing again because a number of things were 
changed/explained in more depth.

Specifically speaking to database encryption, it looks like Requirement 3.4.1 offers up an option to database table 
encryption if it's not possible. That option is disk encryption. According to the requirement "If disk encryption is 
used (rather than file- or column-level database encryption), logical access must be managed independently of native 
operating system access control mechanisms (for example, by not using local system or Active Directory accounts)." 
Within the guidance given it goes on to say "... to be compliant with this requirement, the disk encryption method 
cannot have: 1) A direct association with the operating system, or 2) Decryption keys that are associated with user 
accounts."
You can further refer to Appendix B: Compensating Controls in the PCI DSS.

I just wanted to make sure you knew that you have options on this one. :)

Amy