PCI-DSS Linux file storage network server with USB key authentication
Posted on 2011-10-14
I work for a major brand hotel and I wanted to implement a PCI-DSS compliant server were we can store credit card information that is faxed to us by that are a third party billing (such as if I wanted to pay for your room or was planning a meeting event). Since companies began PCI implementation, vendors have been faxing third party credit card authorizations for our guests which sometimes have a reservation made months in advance, which, from what I understand, means we can hold it "as long as necessary to obtain authorization" which could mean until the guest checks out or even 30 days after that because since we did not swipe the card, the transaction can be disputed and with out a an authorization form in which they state they agree to pay for some charges. So instead of locking up hundreds of documents (which we will for groups and events) for the numerous faxes we get I was thinking of a full encryption disk server and using truecrypt to encrypt the volume or file containing those documents. Two way authentication would Ideally consist of USB "keys" issued to only managers which, much like their money safety deposit box, they would be responsible for safe keeping. So they would have to type a password to get in the server and have the USB key to access those files. I would keep the master key and header in our vault (only 3 people know the combo, not including me) and change the key and reissue it every 30 days or when a usb device is lost. How would I go about doing this or is there an easier or more secure way to be compliant? Maybe I am over thinking this but USB keys would be cool. There would obviously be RAID (hardware and soft ware) and this would not be networked or even go on the net except for updates. I am just not sure I can do that in a liable manner with no data loss.