>>Telnet behind your own firewalled, secure Enterprise, IS PCI compliant. Which exactly what we have.
>>On the subject of unencrypted communication, consider that MANY credit card clearing houses are reached through a Frame Relay connection, using an unencrypted, clear text socket. In Theory, this is 'secure' because its 'yours'. You bought that virtual 'channel' through the ma-bell network. But in reality, how secure is it to send cardholder info across the telco network? [which likely includes satellite up/down links] I would venture that this represents more vulnerability than you have inside your own enterprise. I definitely agree about that. >>The PCI data security standard also allows for any site to present "offsetting safeguards" to mitigate any non-compliant aspect of their operation by the implementation of business rules and procedures. A frank discussion with your clearing house that demonstrates 'due diligence' goes a long way toward keeping your 'compliant' certification. We are actually removing the CC number from our UniVerse database anyway so that should limit the scope of PCI on the UniVerse system. I really don't understand why they (Network Admin and PCI compliance contractor) insist telnet has to be turned off. >>I state all this because I hate to see anyone making a database move out of a knee-jerk reaction to PCI. ... or a CIO wrapping their secret [sql] agenda in a 'PCI Compliant' guise. I think it is both! ------- u2-users mailing list [email protected] To unsubscribe please visit http://listserver.u2ug.org/
