I can’t insist enough on how bad this is. Putting at risk all messenging systems, it would be only a matter of time before a malevolent actor get the keys and get all kind of personal and sensitive data.
I can’t insist enough on how bad this is. Putting at risk all messenging systems, it would be only a matter of time before a malevolent actor get the keys and get all kind of personal and sensitive data.
Hold on - you think that not logging VPN activity is the same as not logging access to servers storing credit card numbers?
I honestly stopped reading after that
Logs are logs. PCI has some structure to it, but it’s not generally enforced. Hell, we’ve had cases in Canada where businesses have stored customer credit card information on Excel sheets – NCIX in BC did this, it came to light after they sold their servers, unwiped, at auction and the new owners got the docs. There are no specific laws that say how a business needs to handle logging to servers holding credit card numbers – there’s just a PCI standard, set generally by a foreign bank consortium, which most/many small businesses ignore.
A log of someone connecting up to something like a customer portal to review their payment information/details, and basic customer information, would fall under the pending legislation. It’d also constitute ‘logging’ for a log-less company, generally speaking, as it’s recording access to that company’s services. One reason log-less companies are opposing the legislation, is that it requires them to know who their customers are, and who logs in to use their services, to record some meta data about that usage, and to report that information to the authorities when required.