We have a customer who is exploring how to achieve PCI DSS compliance in their z/OS environment. Their perception (I deliberately do not use the word "conviction", as they are by no means convinced of this) is that they need to move the CDE applications to a separate Sysplex. This seems excessive to me, but I am not a QSA by any means; my competing perception is based on not having seen other customers do that, including banks and issuers.
Also, there's a concern that having an internal firewall between the z/OS systems and the internal network will lead to downtime, because "firewalls aren't that reliable". Again, that doesn't jibe with my impression; I've done many deployments where z/OS work had to pause to wait for a firewall change, but that was a one-time thing (well, ok, I've also seen things break because the firewall got changed later to undo some change-maybe this is what they're referring to-but that's a process issue, not a firewall weakness per se). And yes, I realize these are pretty vague questions, but that's the stage we're at. Any thoughts much appreciated! -- ...phsiii Phil Smith III Senior Architect & Product Manager, Mainframe & Enterprise HP Security Voltage [email protected]<mailto:[email protected]> ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
