×
The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.
It sounds like you may be following up on a red herring. For example, what does
it mean that all workstations are "in scope"? I'm also unaware of anyone
anywhere connecting "directly to i". There's almost always at least one on
premise network appliance in front. Often there are more. TCP/IP traffic is
often routed through multiple on premise network segments before arriving at an
IBM i server. You may already have multiple firewalls on multiple network
segments. Network appliances are generally more secure than front-ending IBM i
with another application server like Citrix.
I was looking a PCI documented Requirements and Security Assessment Procedures,
and there is no mention of "certificates". SSL of course is mentioned, but no
definitive SSL implementation method is specified. I don't know if individual
certificates are more secure than group certificates, but I would tend to rely
on SSL for encryption and login credentials (user/password) for authentication.
-Nathan
----- Original Message ----
From: "TDuncan@xxxxxxxxxxxxxxxxxx" <TDuncan@xxxxxxxxxxxxxxxxxx>
To: midrange-l@xxxxxxxxxxxx
Sent: Mon, January 10, 2011 3:44:30 PM
Subject: PCI question
We currently have credit card info on our i (yes, they are encrypted) and
are preparing for a PCI audit. Currently all of our users connect directly
to the i via telnet (green screen) using a common group SSL cert. We have
been told that if we maintain that connectivity then all of their
workstations would be in scope and we would need to use personal
individual SSL certs for each workstation. This is the IBM recommendation
and it would be a logistical nightmare to implement and administrate. An
alternative would be to have them connect to another server than then
connects to the i, like a telnet proxy server or Citrix, which would no
longer have them connecting directly to the i and as such the workstations
would not be in scope. The Telnet proxy option could cause us function key
mapping issues and the Citrix solution is simply too slow and complex for
our user base. I am looking for other alternatives that would meet PCI
standards. Anyone got any experience with anything else ?
Tom Duncan
Senior iSeries Administrator
Winston Brands Inc.
(847) 350-5638
================================================================
This e-mail is only intended for the person(s) to whom it is addressed and
may contain confidential information. Unless stated to the contrary, any
opinions or comments are personal to the writer and do not represent the
official view of the company. If you have received this e-mail in error,
please notify us immediately by replying to the e-mail and then deleting
this message from your system. Please do not copy it or use it for any
purposes or disclose its contents to any other person. Thank you for your
cooperation.
================================================================
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact
[javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.