|
View previous topic :: View next topic
|
| Author |
Message |
elmerv
New User
Joined: 13 Jul 2006
Posts: 3
|
|
|
|
Hello,
We are undergoing a review of our controls for PCI compliance. Requirement 3.4 specifies that PAN must be rendered unreadable wherever it is stored. So if the source VSAM dataset contains PANs, does this mean the VSAM dataset needs to be encrypted? Or is RACF enough compensating control to satisfy the PCI requirement? Or is there any other solution?
Thank you.
Bew |
|
| Back to top |
|
 |
Robert Sample
Global Moderator
Joined: 06 Jun 2008
Posts: 8696
Location: Dubuque, Iowa, USA
|
|
|
|
| When we went through the PCI compliance process, it was determined that at a minimum the field had to be encrypted -- RACF access controls is not enough to meet the requirement. Data 21's ZIP-390 product, for one, supports field-level encryption and can be called from COBOL, SAS, PL/I, etc. I believe there are others that do this but I'm most familiar with ZIP-390. |
|
| Back to top |
|
|
elmerv
New User
Joined: 13 Jul 2006
Posts: 3
|
|
|
|
Thank you Robert. So we should be looking at encryption, then.
If you would be able to share, were there any performance issues
after implementing encryption?
Thanks.
Bew |
|
| Back to top |
|
|
Robert Sample
Global Moderator
Joined: 06 Jun 2008
Posts: 8696
Location: Dubuque, Iowa, USA
|
|
|
|
| No, no performance issues showed up since we did only the field, not the entire file. |
|
| Back to top |
|
|
elmerv
New User
Joined: 13 Jul 2006
Posts: 3
|
|
|
|
I'll advise them to look into encryption.
Appreciate your input.
Thanks.
Bew |
|
| Back to top |
|
|
|
|
