There is a requirement to run only one application per server (2.2.1). Our
PCI person at IBM Internet Security Systems (who is also an assessor) has
told us that this is a result of the Wintel slant of the DSS group and does
not apply to mainframe and midrange systems which have traditionally
supported multiple applications. They just don't want you running a payroll
app on your PDC. When I referred to segregating servers, I meant placing
servers containing card data on a separate VLAN from other servers so
they're not accessible from the non-PCI VLAN.
As far as the visitor badges are concerned, DSS 9.2 references "areas where
cardholder data is accessible". What does that mean? Your guess is as good
as mine. I would think that, if you could secure the data center area
(maybe your DC takes up all of one floor and you can secure that floor),
that would suffice.
Since I'm not a qualified assessor, my opinions don't carry much weight.
There are companies that will perform a pre-assessment and let you know what
is OK and what is not. If you can't get funding for that, maybe you can
buddy up to someone that's a qualified assessor.
Steve
"Mike Cunningham" <mcunning@xxxxxxx> wrote in message
news:mailman.2649.1201881155.2331.midrange-l@xxxxxxxxxxxxxxx
We are level 4 but could push into level 3 if card use grows. Our iSeries is
also our primary business (we are a college) machine but we do use it to
store credit card information and the same system (we only have 1) does lots
of other work. So right now it's not possible for us to physically segregate
that server. The credit card data is encrypted by the third-party
application we use to process card transactions and that software has been
pci-dss certified. All the data is logically segregated (it's a library that
no one has access to except through the applications we wrote that lets them
access it) from the rest of the system and is not accessible from any
outside ODBC/JBDC/OLE DB connections (we use exit points to prevent access).
When it comes to issuing visitor badges does that apply to just visitors to
the datacenter itself (we do not allow this at all except under very strict
monitored tours by students), visitors to the building the datacenter is in
(we are in the same building as our Admissions office and there are
sometimes 100+ visitors in the building but they go nowhere near the
datacenter), or visitors to the organization which on some days might be
more like 500 people if a special event is being held.
-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Steve McKay
Sent: Friday, February 01, 2008 10:35 AM
To: midrange-l@xxxxxxxxxxxx
Subject: Re: PCI-DSS Compliance in an iSeries world
We are a level 2 merchant. The iSeries is our primary business system but
we don't store card information on it so it is out of scope for PCI
purposes.
The PCI compliance process is much like the SOX process - at a third party
assessor level (as opposed to a self assessment level) it will probably
instigate many changes in your policies and processes. Things that you may
not do today like issuing visitors' badges or having a policy to not e-mail
card numbers will have to change. For us, the major change is segregating
servers that store card information from other servers on our network.
What specific questions do you have?
Steve
"Mike Cunningham" <mcunning@xxxxxxx> wrote in message
news:mailman.2563.1201831912.2331.midrange-l@xxxxxxxxxxxxxxx
Has anyone on this list had to prove PCI-DSS credit card security
requirements in an iSeries centric business?
Mike Cunningham
CIO
Penn College
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/midrange-l.
midrange.com
