The PCI Data Security Standard only addresses the protection of cardholder information. The standard is not intended for any other data (although, in my opinion, the specification would tend towards being a good idea for any *sensitive* information that you would want to protect.) See https://www.pcisecuritystandards.org. There's an especially good dos and don'ts document at https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf
It would seem that if your goal is to attain the standards, then you should have a thorough understanding of the standards. Otherwise, you might spend a lot of time looking for the right anti-virus software to run on z/OS. For CA MSM, all credentialed and sensitive information (none of which is subject to the PCI standard, by the way) is passed via HTTPS. The only data passed via FTP are CA assets, product ESD files and solutions, passed back to you via FTP originating from your z/OS image. It also happens to be anonymous FTP, so the only 'credential' that is passed is the user's email address. The security and interactions are exactly the same as those that would be performed if you were to connect to support.ca.com and do your downloads to your PC. Scott Fagen Principal Architect Mainframe 2.0 CA On Thu, 23 Jul 2009 07:51:14 -0500, Jeff Grigg <[email protected]> wrote: >We started looking at using this but soon found out it does not support >secure FTP so that came to a quick halt. CA has said this may come in the >future. With PCI requirements SFTP is a must for us. On Thu, 23 Jul 2009 09:15:03 -0500, Hal Merritt <[email protected]> wrote: >I could be wrong (and often am) but I think PCI only cares about cardholder data and some ancillary processes (like system security). > >A documented (and management approved) exception with compensating controls ought to be sufficient. Of course, much depends on the quality of the auditors. On Thu, 23 Jul 2009 09:36:20 -0600, Jerry Whitteridge <[email protected]> wrote: >Agreed -- we are allowed no unsecured file transfer to the mainframe due >to PCI. Our preference is FTPS but we could (for certain kludges) work >with SFTP. All vendors need to be reconsidering their supported >protocols. > >Jerry Whitteridge >Mainframe Engineering >Safeway Inc >925 951 4184 >[email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
