Thread

  1. PCI-DSS Requirements

    Inzamam Shafiq <inzamam.shafiq@hotmail.com> — 2022-09-20T09:27:46Z

    Hi Team,
    
    
    Anyone on PCI-DSS requirements for PostgreSQL DB, need help for some of the points.
    
    Regards,
    
    Inzamam Shafiq
    DBA
    
  2. Re: PCI-DSS Requirements

    Ron Johnson <ronljohnsonjr@gmail.com> — 2022-09-20T17:44:57Z

    On 9/20/22 04:27, Inzamam Shafiq wrote:
    >
    > Hi Team,
    >
    >
    > Anyone on PCI-DSS requirements for PostgreSQL DB, need help for some of 
    > the points.
    >
    
    Can you be more specific?  (Typically. the auditors or the "audit pre-check" 
    team will ask for a bunch of details on how your instance is configured.)
    
    The usual questions I get are:
    - What password hash algorithm is used?
    - How frequently to passwords expire?
    - Is SSL used when communicating with applications?
    
    -- 
    Angular momentum makes the world go 'round.
  3. Re: PCI-DSS Requirements

    Inzamam Shafiq <inzamam.shafiq@hotmail.com> — 2022-09-22T06:16:15Z

    Hi Ron,
    
    Thank you for the response.
    
    Actually we are in a starting phase and I have done instance level encryption (CYBERTECH TDE Patch) but if someone take dump and restore it on another server the data get restored successfully. Also the problem is that the data is in plain text.
    
    So I want to ask if disk or instance level encryption useful or we should focus on column level encryption?
    
    Also if any error occurred during DML and a plain query will be written into the logs which may not be compliant with PCI. How to overcome that?
    
    Thanks.
    
    Regards,
    
    Inzamam Shafiq
    Sr. DBA
    ________________________________
    From: Ron <ronljohnsonjr@gmail.com>
    Sent: Tuesday, September 20, 2022 10:44 PM
    To: pgsql-general@lists.postgresql.org <pgsql-general@lists.postgresql.org>
    Subject: Re: PCI-DSS Requirements
    
    On 9/20/22 04:27, Inzamam Shafiq wrote:
    
    Hi Team,
    
    
    Anyone on PCI-DSS requirements for PostgreSQL DB, need help for some of the points.
    
    Can you be more specific?  (Typically. the auditors or the "audit pre-check" team will ask for a bunch of details on how your instance is configured.)
    
    The usual questions I get are:
    - What password hash algorithm is used?
    - How frequently to passwords expire?
    - Is SSL used when communicating with applications?
    
    --
    Angular momentum makes the world go 'round.
    
  4. Re: PCI-DSS Requirements

    Laurenz Albe <laurenz.albe@cybertec.at> — 2022-09-22T07:46:14Z

    On Thu, 2022-09-22 at 06:16 +0000, Inzamam Shafiq wrote:
    > From: Ron <ronljohnsonjr@gmail.com>
    > > > Anyone on PCI-DSS requirements for PostgreSQL DB, need help for some of the points.
    > >
    > > Can you be more specific?  (Typically. the auditors or the "audit pre-check" team
    > > will ask for a bunch of details on how your instance is configured.)
    > >
    > > The usual questions I get are:
    > > - What password hash algorithm is used?
    > > - How frequently to passwords expire?
    > > - Is SSL used when communicating with applications?
    > 
    > Actually we are in a starting phase and I have done instance level encryption
    > (CYBERTECH TDE Patch) but if someone take dump and restore it on another server
    > the data get restored successfully. Also the problem is that the data is in plain text.
    > 
    > So I want to ask if disk or instance level encryption useful or we should focus on
    > column level encryption?
    > 
    > Also if any error occurred during DML and a plain query will be written into the
    > logs which may not be compliant with PCI. How to overcome that?
    
    Yes, data-at-rest encryption is expensive, but of limited effectiveness.
    
    If you store sensitive information about credit cards and their owners,
    the best you can do is encrypt sensitive columns in the application, so
    that unencrypted data never touch the database. Make sure you don't encrypt
    everything, only the sensitive data, so that you can retain some degree of
    usability.
    
    A great deal will also rest on your database user management and authentication,
    and how well access to the system is logged and controlled.
    
    All that said, there is always a difference between good security and passing
    a certification exam...
    
    Yours,
    Laurenz Albe
    
    
    
    
  5. Re: PCI-DSS Requirements

    Ron Johnson <ronljohnsonjr@gmail.com> — 2022-09-22T11:18:06Z

    We use PgBackRest to create encrypted backups, but the nature of pg_dump 
    means that the only way for them to be encrypted is to add that feature to 
    pg_dump.
    
    On 9/22/22 01:16, Inzamam Shafiq wrote:
    > Hi Ron,
    >
    > Thank you for the response.
    >
    > Actually we are in a starting phase and I have done instance level 
    > encryption (CYBERTECH TDE Patch) but if someone take dump and restore it 
    > on another server the data get restored successfully. Also the problem is 
    > that the data is in plain text.
    >
    > So I want to ask if disk or instance level encryption useful or we should 
    > focus on column level encryption?
    >
    > Also if any error occurred during DML and a plain query will be written 
    > into the logs which may not be compliant with PCI. How to overcome that?
    >
    > Thanks.
    >
    > Regards,
    >
    > /Inzamam Shafiq/
    > /Sr. DBA/
    > ----------------------------------------------------------------------------
    > *From:* Ron <ronljohnsonjr@gmail.com>
    > *Sent:* Tuesday, September 20, 2022 10:44 PM
    > *To:* pgsql-general@lists.postgresql.org <pgsql-general@lists.postgresql.org>
    > *Subject:* Re: PCI-DSS Requirements
    > On 9/20/22 04:27, Inzamam Shafiq wrote:
    >>
    >> Hi Team,
    >>
    >>
    >> Anyone on PCI-DSS requirements for PostgreSQL DB, need help for some of 
    >> the points.
    >>
    >
    > Can you be more specific?  (Typically. the auditors or the "audit 
    > pre-check" team will ask for a bunch of details on how your instance is 
    > configured.)
    >
    > The usual questions I get are:
    > - What password hash algorithm is used?
    > - How frequently to passwords expire?
    > - Is SSL used when communicating with applications?
    >
    > -- 
    > Angular momentum makes the world go 'round.
    
    -- 
    Angular momentum makes the world go 'round.