Herbie Van Dalsen already replied with much of what I would say, but I do have a couple comments.
R.S. writes: >Excuse me, what company encrypts "anything on disk" ??? Some. Numbers are increasing. IBM doesn't add features like ENCRYPT (SQL keyword) to DB2 or ship products like IBM Data Encryption for IMS and DB2 Databases in the face of zero demand. Presumably the same is true with other vendors. >IMHO "encrypt everything" is kind of euphemism (fiction if you want). >It is simply impossible. That's why I put it in quotes. We're agreed. However, as an encapsulation of what the auditors require, it's a good, succinct summary. >It is also too expensive and not needed, but this is another story. The topic here is PCI compliance. Take up budget complaints with the PCI auditors. Good luck. :-) I worked with a credit card processor that was told by its PCI auditors that it must encrypt any sensitive information on disk, including credit card numbers, expiration dates, etc. This is typical and reality. Maybe your country's situation is different, although that might not persist. >BTW: I would say *almost* every data on medium or in the wire *outside* >secured company premises should be encrypted. That means remote links >(except DWDM in majority of cases), tapes, CDs, etc. >Encryption of network links can be done at protocol level (SSH instead >of telnet) or "at router level" (all the traffic is encrypted). Usually >there is no reason to use encrypted protocol when whole link is already >encrypted. >Last but not least: each case require thorough analysis. While I might agree with your logic -- the chance of a spindle theft is relatively remote though nonzero -- it really doesn't matter what you or I say here. There are certain minimum security requirements for processing Visa, MasterCard, and other credit cards. The PCI auditors dictate whether you meet those standards or not, and what you're supposed to do to remedy any shortcomings. This is certainly true in the United States and increasingly true in other countries. PCI became re-energized in the wake of the CardSystems debacle, and subsequent breaches haven't made them any less forgiving. By the way, the same company was ordered to encrypt every network connection, including network connections within their data center. To my knowledge they're complying. - - - - - Timothy Sipples IBM Consulting Enterprise Software Architect Specializing in Software Architectures Related to System z Based in Tokyo, Serving IBM Japan and IBM Asia-Pacific E-Mail: [EMAIL PROTECTED] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
