We have learnt that there is not always logic involved in what the PCI QSA demands to certify we are compliant. Not all QSA's have a good grounding in Mainframe strengths and weaknesses - despite our best efforts in education.
However I agree that a transfer initiated from the mainframe using credentials for an external partner should face different criteria than an incoming connection. However there are many install products that start off by a download to a PC and then up to the mainframe - these were what I was targeting my comments towards mainly. But I would also say again that all the vendors should be considering security in their transfer methods however initiated. Jerry Whitteridge Mainframe Engineering Safeway Inc 925 951 4184 [email protected] If everything seems under control, you're just not going fast enough. > -----Original Message----- > From: IBM Mainframe Discussion List > [mailto:[email protected]] On Behalf Of Gibney, Dave > Sent: Thursday, July 23, 2009 9:20 AM > To: [email protected] > Subject: Re: CA Mainframe 2.0 > > Just curious, why do you or your security folks care about > the encryption at an external company where the data transfer > is all incoming (to you). Seems that CA should be the one > concerned about the security of their system (But they can't > required secure transfer for everyone). I don't see how the > security of credentials outgoing to an external site are the > concern of your Security or Auditor, or PCI at all. "Email Firewall" made the following annotations. ------------------------------------------------------------------------------ Warning: All e-mail sent to this address will be received by the corporate e-mail system, and is subject to archival and review by someone other than the recipient. This e-mail may contain proprietary information and is intended only for the use of the intended recipient(s). If the reader of this message is not the intended recipient(s), you are notified that you have received this message in error and that any review, dissemination, distribution or copying of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately. ============================================================================== ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
