× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. January 2009

Re: Looking for information on PCI Code Security Reviews

Thanks Al, some good advice there. As you might infer from my prior note,
I don't believe that any shortcuts in the PCI process are appropriate.

Kendall



From:
macwheel99@xxxxxxxxxx
To:
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date:
01/26/2009 05:37 PM
Subject:
Re: Looking for information on PCI Code Security Reviews



Some of these decisions need to be made by LAWYERS. I think you will
agree
after reading theis blog on what has happened at some other sites, where
the
company leadership made some decisions regarding the interpretation of PCI

rules, and were found wanting after a breach, that led to multi million
dollar lawsuits.

http://infoseccompliance.blogspot.com/2008/02/legal-implications-risks-and-

problems.html

There's lots of good links here, such as exactly what went wrong in one of

the most spectacular breaches of a place supposedly PCI compliant.

Al Macintyre

KKinnear wrote
I've been inactive for awhile due to medical issues but I'm back
and fully involved again so I thought I'd turn to some of the best
experts around for some help.

I have a client looking for experience with or information
concerning Code Security Review processes related to System i
and/or Infinum. The Mastercard/Visa PCI requirements specify that
when there is custom code that accesses credit card data someone
trained in code security must review the code prior to production
implementation. Any information on best practices or education
specifically targeted at System i is appreciated.

We disagree on the intrepretation of some of the wording.
Everything I've read says an organization that is trained in Code
Security Review must audit the changes. That could be intrepreted
to say that an outside organization must review the code. My
client believes the code can be reviewed by someone else within
the company not involved in the development project. Any ideas of
which intrepretation might be correct.

Thanks for any help!

Kendall Kinnear
Senior Systems Architect

KS2 Technologies, Inc
1020 Mustang Dr
Grapevine, TX 76051

Office: 817.310.1817
Fax: 817.310.1801
Mobile: 214.676.3146
email: KKinnear@xxxxxxxxxx

http://www.ks2inc.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options, visit:
http://lists.midrange.com/mailman/listinfo/midrange-l or email:
MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment
to review the archives at http://archive.midrange.com/midrange-l.


--
WOW! Homepage (http://www.wowway.com)


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.