× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. January 2009

Re: Looking for information on PCI Code Security Reviews

Since we know nothing about your application - RPG, Cobol, Java, PHP ....
On any platform, in any language - plugging in a compliant app "might"
be cheaper/easier than determining compliance, but that is not an absolute.
There are pci compliant apps on the i, and there are vendors with tools for
determining compliance (Skyview Partners is one name, but there are others).
I thought your orig post was the customer wanted to review his own software,
which within rules, seems to be allowed.
Jim

---- KKinnear@xxxxxxxxxx wrote:
...>
Are there any tools for System i to do the automated scanning of RPG code
related to security (and associated training) or training focused at
qualifying an individual for the manual review process?

My guess is that there is nothing specific to System i, which is what my
client is looking for. My recommendation will very likely be that they
look at moving those applications covered by PCI off the System i because
it will be simpler to fulfill the requirements of the regulatory bodies.
Which will unfortunately end up with another System i decommissioned.

Kendall Kinnear



From:
"Jim Franz" <franz400@xxxxxxxxxxxx>
To:
"Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx>
Date:
01/26/2009 09:33 PM
Subject:
Re: Looking for information on PCI Code Security Reviews



This is an explanation of the code review, from the PCI Security Standards

Council (that wrote the
PCI requirements). It's not a 5 or 10 or even 30 word answer... it's a
several pages answer and that
is what you have to read.

https://www.pcisecuritystandards.org/pdfs/infosupp_6_6_applicationfirewalls_codereviews.pdf


btw - I wonder how many in our community of iSeries shops have no clue as
to
the requirements (
entities that transmit, process, or store payment card data) that is due
this Oct and the
consequences of inaction ... https://www.pcisecuritystandards.org/

Jim Franz

----- Original Message -----
From: <KKinnear@xxxxxxxxxx>
To: <MIDRANGE-L@xxxxxxxxxxxx>
Sent: Monday, January 26, 2009 10:42 AM
Subject: Looking for information on PCI Code Security Reviews


I've been inactive for awhile due to medical issues but I'm back and
fully
involved again so I thought I'd turn to some of the best experts
around
for some help.

I have a client looking for experience with or information concerning
Code
Security Review processes related to System i and/or Infinum. The
Mastercard/Visa PCI requirements specify that when there is custom
code
that accesses credit card data someone trained in code security must
review the code prior to production implementation. Any information on
best practices or education specifically targeted at System i is
appreciated.

We disagree on the intrepretation of some of the wording. Everything
I've
read says an organization that is trained in Code Security Review must
audit the changes. That could be intrepreted to say that an outside
organization must review the code. My client believes the code can be
reviewed by someone else within the company not involved in the
development project. Any ideas of which intrepretation might be
correct.

Thanks for any help!

Kendall Kinnear
Senior Systems Architect

KS2 Technologies, Inc
1020 Mustang Dr
Grapevine, TX 76051

Office: 817.310.1817
Fax: 817.310.1801
Mobile: 214.676.3146
email: KKinnear@xxxxxxxxxx

http://www.ks2inc.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.




--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.



--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.