View previous topic :: View next topic
|
Author |
Message |
RanjitRaveendran Warnings : 1 New User
Joined: 24 Nov 2008 Posts: 20 Location: Bangalore
|
|
|
|
I need to mask some Credit Card Information in a non VSAM PDS before writing to a GDG tape. Can i use regular expression in REXX to do that or is this possible using SORT utility? The Credit Card Information is available in a regular format which starts like "PMT+1:" |
|
Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007 Posts: 10872 Location: italy
|
|
|
|
data masking is a security and privacy issue that should not be based on forum replies,
too many legal issues and concern
it should be planned at the highest organization levels
and implemented using proper tools and techniques
( auditable and certified )
speak to Your security support group / Your manager
P.S. output being a GDG is irrelevant to the process
a non VSAM PDS is a redundancy
a dataset is VSAM or PDS |
|
Back to top |
|
|
Robert Sample
Global Moderator
Joined: 06 Jun 2008 Posts: 8696 Location: Dubuque, Iowa, USA
|
|
|
|
I don't believe masking credit card data meets PCI (Payment Card Industry) requirements -- encryption is the requirement. If the data is encrypted, masking is not necessary since the data is not available in plain text. If the data is unencrypted, PCI compliance fails and there is signifcant exposure to legal liability -- as TJ Maxx and Hannaford have found out -- so there is a major management issue there. |
|
Back to top |
|
|
RanjitRaveendran Warnings : 1 New User
Joined: 24 Nov 2008 Posts: 20 Location: Bangalore
|
|
|
|
I should probably term it Override with a wild character like X or * instead of masking. The intention is to prevent reading the credit card number in a file being sent to a VM system. |
|
Back to top |
|
|
Robert Sample
Global Moderator
Joined: 06 Jun 2008 Posts: 8696 Location: Dubuque, Iowa, USA
|
|
|
|
You can call it masking, or you can call it override, but the credit card industry standard is that credit card number not be stored on disk in the clear. And if you're needing masking (override, or whatever you call it) your site is not complying with PCI rules. My recommendation is to change the source data so you don't have the issue. |
|
Back to top |
|
|
RanjitRaveendran Warnings : 1 New User
Joined: 24 Nov 2008 Posts: 20 Location: Bangalore
|
|
|
|
You are right, and they are going to encypt the data at the source in future. Right now i have some past data in tapes which is what i need to hide from someone reading. |
|
Back to top |
|
|
Robert Sample
Global Moderator
Joined: 06 Jun 2008 Posts: 8696 Location: Dubuque, Iowa, USA
|
|
|
|
Recommendation 1. Implement very tight security rules through your security product on the tapes with credit card data.
Recommendation 2. There are commercially available products that do field level encryption; use one of them to encrypt the data as you copy from one tape to another.
Recommendation 3. If Recommendation 2 is not possible, develop some in house encryption routine (but be aware that it is almost certainly not going to be secure enough to meet PCI requirements -- it is extremely difficult to do a good encryption routine). Copy the tapes using your in house routine. |
|
Back to top |
|
|
|