There has been a lot of discussion back and forth at my company as to what it
means to meet the PCI DSS (Payment Card Industry Data Security Standard)
requirement for data at rest, which I believe refers to the following from the
PCI DSS v3.0:
3.4 Render PAN unreadable anywhere it is stored (including on portable digital
media, backup media, and in logs) by using any of the following approaches:
- One-way hashes based on strong cryptography, (hash must be of the entire
PAN)
- Truncation (hashing cannot be used to replace the truncated segment of PAN)
- Index tokens and pads (pads must be securely stored)
- Strong cryptography with associated key-management processes and procedures.
The argument is whether or not hardware disc encryption of mainframe DASD meets
this requirement.
On non-mainframe platforms it is my understanding that "encrypted file systems"
are what is used for PANs in "non-database" repositories. Basically, flat
files. For databases I believe there are things done at the database level
that encrypt the data prior to it being stored within the databases file
system. (Or maybe they do both?)
Anyway, other than maybe z/OS Unix files, I don't think that z/OS really has
anything similar to non-mainframe files systems. So does encryption just at
the disc/DASD level comply with the requirement? IBM would love to sell us
their IBM InfoSphere Guardium Data Security product, but that only supports DB2
and IMS databases. This does not address VSAM files or simply sequential
datasets (flat files). Our card system stores all of its data in VSAM (for
"master files") and uses flat files for "work files" during batch reporting.
So if encrypted disc doesn't comply, what are our options? I argue that
encrypted disc does comply, but I seem to be losing that battle.
One thing I am absolutely against is changing applications that handle card
data to do encryption/decryption at the application level, calling some sort of
encryption API. There needs to be a "system level" answer.
I know there must be others out there that deal/struggle with this. What do
you do?
Frank
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
