Phil, There is a RACF list that might also provide insight on PCI DSS functions. If you have not joined, you can do so at this url
RACF http://www.listserv.uga.edu/archives/racf-l.html Here are some links that might help with understanding http://www-01.ibm.com/support/knowledgecenter/SSSN2Y_2.0.0/com.ibm.tsiem.doc _2.0/mmodules/pci_about.html http://searchsecurity.techtarget.com/tip/Mainframe-security-best-practices-f or-compliance-with-PCI-DSS You will probably have to provide an email to read this. I use a bogus one for this site http://www.ibmsystemsmag.com/aix/administrator/security/System--Secured/ http://www.rshconsulting.com/RSHpres/RSH_Consulting__PCI_&_RACF__2012-05.pdf The way the data is protected should provide the direction for PCI DSS functions. If only authorized users can access the data and no one else, then additional layers of security may cause performance considerations. Money vs. Security vs. Importance of Data Lizette > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] > On Behalf Of Phil Smith > Sent: Thursday, July 23, 2015 7:55 AM > To: [email protected] > Subject: PCI DSS compliance question > > We have a customer who is exploring how to achieve PCI DSS compliance in > their z/OS environment. Their perception (I deliberately do not use the word > "conviction", as they are by no means convinced of this) is that they need to > move the CDE applications to a separate Sysplex. This seems excessive to > me, but I am not a QSA by any means; my competing perception is based on > not having seen other customers do that, including banks and issuers. > > Also, there's a concern that having an internal firewall between the z/OS > systems and the internal network will lead to downtime, because "firewalls > aren't that reliable". Again, that doesn't jibe with my impression; I've done > many deployments where z/OS work had to pause to wait for a firewall > change, but that was a one-time thing (well, ok, I've also seen things break > because the firewall got changed later to undo some change-maybe this is > what they're referring to-but that's a process issue, not a firewall weakness > per se). > > And yes, I realize these are pretty vague questions, but that's the stage > we're at. Any thoughts much appreciated! > -- > ...phsiii > > Phil Smith III > Senior Architect & Product Manager, Mainframe & Enterprise HP Security > Voltage > > [email protected]<mailto:[email protected]> > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email to > [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
