You are more correct than I. I misspoke in my statement. I am not an expert on PCI and should have made that clear.
But you are looking at current requirements, and they are a moving target with each iteration being more onerous than before. More, conversations with auditors lead me to believe that point to point to be a logical next step. In my defense, endpoint to endpoint -is- compliant and most likely will remain so in the foreseeable future. Lastly, your quotation seems to cover administrative and third party access. My context is more data movement centric. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Eric Chevalier Sent: Wednesday, August 26, 2009 11:23 AM To: [email protected] Subject: Re: Need new 3270 emulator: SSH, inexpensive, reliable On 25 Aug 2009 14:14:56 -0700, [email protected] (Hal Merritt) wrote: >VPN is a good solution, but not PCI compliant. That statement just doesn't make sense, and even verges on being factually incorrect. The current PCI DSS document, version 1.2.1, _explicitly_ mentions VPN as an approved technology: 2.3 Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for webbased management and other non-console administrative access. 8.3 Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS); terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates. -- Eric Chevalier E-mail: [email protected] Web: www.tulsagrammer.com Is that call really worth your child's life? HANG UP AND DRIVE! NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
