Eric Chevalier wrote:
On 25 Aug 2009 14:14:56 -0700,
[email protected] (Hal Merritt) wrote:
VPN is a good solution, but not PCI compliant.
That statement just doesn't make sense, and even verges on being
factually incorrect. The current PCI DSS document, version 1.2.1,
_explicitly_ mentions VPN as an approved technology:
2.3 Encrypt all non-console administrative access. Use technologies
such as SSH, VPN, or SSL/TLS for webbased management and other
non-console administrative access.
8.3 Incorporate two-factor authentication for remote access
(network-level access originating from outside the network) to
the network by employees, administrators, and third parties. Use
technologies such as remote authentication and dial-in service
(RADIUS); terminal access controller access control system
(TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with
individual certificates.
--
Eric Chevalier E-mail: [email protected]
Web: www.tulsagrammer.com
Is that call really worth your child's life? HANG UP AND DRIVE!
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
The problem for PCI with VPN is NOT over the internet part of the
network, but rather over the internal part: from the VPN server to
wherever the data ends up. That is typically in the clear.
So if your VPN does not end on z/OS, you must somehow encrypt from the
VPN server to the z/OS host. Using TN3270 with SSL/TLS solves this.
The data is encrypted from end to end.
Lloyd
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
