View previous topic :: View next topic
|
Author |
Message |
elmerv
New User
Joined: 13 Jul 2006 Posts: 3
|
|
|
|
Hello,
We are undergoing a review of our controls for PCI compliance. Requirement 3.4 specifies that PAN must be rendered unreadable wherever it is stored. So if the source VSAM dataset contains PANs, does this mean the VSAM dataset needs to be encrypted? Or is RACF enough compensating control to satisfy the PCI requirement? Or is there any other solution?
Thank you.
Bew |
|
Back to top |
|
|
Robert Sample
Global Moderator
Joined: 06 Jun 2008 Posts: 8696 Location: Dubuque, Iowa, USA
|
|
|
|
When we went through the PCI compliance process, it was determined that at a minimum the field had to be encrypted -- RACF access controls is not enough to meet the requirement. Data 21's ZIP-390 product, for one, supports field-level encryption and can be called from COBOL, SAS, PL/I, etc. I believe there are others that do this but I'm most familiar with ZIP-390. |
|
Back to top |
|
|
elmerv
New User
Joined: 13 Jul 2006 Posts: 3
|
|
|
|
Thank you Robert. So we should be looking at encryption, then.
If you would be able to share, were there any performance issues
after implementing encryption?
Thanks.
Bew |
|
Back to top |
|
|
Robert Sample
Global Moderator
Joined: 06 Jun 2008 Posts: 8696 Location: Dubuque, Iowa, USA
|
|
|
|
No, no performance issues showed up since we did only the field, not the entire file. |
|
Back to top |
|
|
elmerv
New User
Joined: 13 Jul 2006 Posts: 3
|
|
|
|
I'll advise them to look into encryption.
Appreciate your input.
Thanks.
Bew |
|
Back to top |
|
|
|