× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. January 2011

RE: PCI question

As I understand it, the requirement is something along the lines of "all
access to any server that manages credit card data must be secure",
which more or less boils down to a requirement for secure
authentication. SSL is the recommended remedy for this requirement,
since SSL negotiates an encryption session before authenticating to the
host.

This is one of the main reasons that outsourced credit card processing
is becoming so attractive. All of the security compliance for PCI rests
on the service provider, letting the business get on with its thing...

I think some of these requirements had been exclusive to the tier one
customers (high transaction volume), but may be coming into scope for
smaller customers now.

-Eric DeLong

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of DrFranken
Sent: Monday, January 10, 2011 8:05 PM
To: midrange-l@xxxxxxxxxxxx
Subject: Re: PCI question

Tom,

I have multiple customers who like you have credit card information
flowing through and on their i. Like you they accept credit cards from
customers on a near continuous basis and have many workstations directly

connected their i. All of them consider themselves PCI compliant and
none have gone to the trouble of using SSL with user certificates on
their PCs nor have they inserted another machine, proxy, or other device

in the middle of the connection.

I think you might be chasing a requirement that doesn't exist.

- Larry "DrFranken" Bolhuis

On 1/10/2011 5:44 PM, TDuncan@xxxxxxxxxxxxxxxxxx wrote:
We currently have credit card info on our i (yes, they are encrypted)
and
are preparing for a PCI audit. Currently all of our users connect
directly
to the i via telnet (green screen) using a common group SSL cert. We
have
been told that if we maintain that connectivity then all of their
workstations would be in scope and we would need to use personal
individual SSL certs for each workstation. This is the IBM
recommendation
and it would be a logistical nightmare to implement and administrate.
An
alternative would be to have them connect to another server than then
connects to the i, like a telnet proxy server or Citrix, which would
no
longer have them connecting directly to the i and as such the
workstations
would not be in scope. The Telnet proxy option could cause us function
key
mapping issues and the Citrix solution is simply too slow and complex
for
our user base. I am looking for other alternatives that would meet PCI
standards. Anyone got any experience with anything else ?

Tom Duncan
Senior iSeries Administrator
Winston Brands Inc.
(847) 350-563

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.