Hi Baker, We too are looking at being PCI complaint. We have a Universe DB with SB+ and running telnet sessions on the client side.
We're being told that the credit card data must be separated from the application onto another database behind another firewall. This adds the complexity of communicating with another database (non u2 product). Encrypting the data was just not enough. This is certainly turning into another Y2K (like) money spinner... Regards, Jeff Marcos -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Baker Hughes Sent: Friday, 27 April 2007 2:43 AM To: [email protected] Subject: RE: [U2] Off topic: PCI Compliance As Bob noted, the DSS is a global initiative by the major card brands. It is huge, and produces negligible ROI for all your effort, except it protects your brand name, which is no small thing. At least 1/2 of your effort is going to be other than in-house coding. a) Reviewing / Re-writing business processes/procedures in light of the standard. (Which will precipitate other code mods, not directly involved in your PCI implementation) b) Network scanning - initially and at regular intervals. c) Attack simulation - test your defenses. d) Response planning - in the event of successful penetration And if you are a service provider, the ante is even higher (if you process payment card transactions directly with banks, for others). Although the deadline has passed, there are more non-compliant merchants and suppliers than the PCI Council can bludgeon effectively. That, according to what our compliance officer is reading. However, this default mercy would naturally evaporate the second someone penetrates your data security. (Fine$) As for the encryption piece - it is reportedly easier with UV 10.2 but I still have questions about key management. Maybe someone who is on 10.2 or the UniData version that has 'Data-at-Rest' encryption at the database level, can respond and explain how it works, and fulfills the PCI DSS requirements. GPG provides the DES3 minimum requirement, and coming/expected AES requirement. The UniVerse ENCRYPT and ENCODE functions (10.0 or higher) are pretty good. Encrypt will do DES3 but won't handle key certificates. I have a simple workaround for outstanding IBM issue 8088. But these were only designed for 'Data-in-motion', not at rest. HTH, -Baker -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Witney Sent: Thursday, April 26, 2007 9:56 AM To: [email protected] Subject: RE: [U2] Off topic: PCI Compliance No we are looking at PCI DSS too The Issuers are trying to get it in globally I have a full spec if you would like it Main problem we can see is the encryption, rest of it is pretty straightforward -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Brenda Price Sent: 26 April 2007 15:32 To: [email protected] Subject: [U2] Off topic: PCI Compliance Just wondering with any other companies are trying to deal with PCI compliance and if this is only limited to the US. Brenda ------- u2-users mailing list [email protected] To unsubscribe please visit http://listserver.u2ug.org/ ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ ------- u2-users mailing list [email protected] To unsubscribe please visit http://listserver.u2ug.org/ ------- u2-users mailing list [email protected] To unsubscribe please visit http://listserver.u2ug.org/ ------- u2-users mailing list [email protected] To unsubscribe please visit http://listserver.u2ug.org/
