× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. February 2008

RE: PCI-DSS Compliance in an iSeries world

We are level 4 but could push into level 3 if card use grows. Our iSeries is also our primary business (we are a college) machine but we do use it to store credit card information and the same system (we only have 1) does lots of other work. So right now it's not possible for us to physically segregate that server. The credit card data is encrypted by the third-party application we use to process card transactions and that software has been pci-dss certified. All the data is logically segregated (it's a library that no one has access to except through the applications we wrote that lets them access it) from the rest of the system and is not accessible from any outside ODBC/JBDC/OLE DB connections (we use exit points to prevent access).

When it comes to issuing visitor badges does that apply to just visitors to the datacenter itself (we do not allow this at all except under very strict monitored tours by students), visitors to the building the datacenter is in (we are in the same building as our Admissions office and there are sometimes 100+ visitors in the building but they go nowhere near the datacenter), or visitors to the organization which on some days might be more like 500 people if a special event is being held.

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Steve McKay
Sent: Friday, February 01, 2008 10:35 AM
To: midrange-l@xxxxxxxxxxxx
Subject: Re: PCI-DSS Compliance in an iSeries world

We are a level 2 merchant. The iSeries is our primary business system but
we don't store card information on it so it is out of scope for PCI
purposes.

The PCI compliance process is much like the SOX process - at a third party
assessor level (as opposed to a self assessment level) it will probably
instigate many changes in your policies and processes. Things that you may
not do today like issuing visitors' badges or having a policy to not e-mail
card numbers will have to change. For us, the major change is segregating
servers that store card information from other servers on our network.

What specific questions do you have?

Steve

"Mike Cunningham" <mcunning@xxxxxxx> wrote in message
news:mailman.2563.1201831912.2331.midrange-l@xxxxxxxxxxxxxxx
Has anyone on this list had to prove PCI-DSS credit card security
requirements in an iSeries centric business?

Mike Cunningham
CIO
Penn College


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.