Lizette, If the CC # is encrypted, then the PCI standard is met, and yes it would be much more difficult to identify. Validation that a string of numbers is a CC # can be done by running a specific function against the 16 digits (I can't recall right now what it's called). If there are ANY alphabetic characters in the string, it's automatically NOT a CC # in the clear (which is what PCI prohibits). If it's encrypted, then the string will contain alphabetic characters. I would not think that the PCI auditors would be asking to have the utility decrypt the #'s. If that were the case, then yes, that would be a worry, as it could show that the there was a possible hole and problem.
Would running this scan be a pain in the ****, yes. And yes this would take alot of time/cpu. Showing the auditors now long it would take to search ALL the files, may be enough to "soothe" thenm. Peter On Tue, 1 Sep 2009 09:53:54 -0400, Lizette Koehler <stars...@mindspring.com> wrote: >Doc, > >I would think you would need to review source code and copybooks for this rather than every file. Since I would hope that the CC Number is encrypted, it would be that much harder to identify what specifically is a cc number. But I could be wrong. > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
