MQ series and PCI Compliance

[sniper]

Has anyone had to address the issue of card data stored by IBM's MQ series? This could particularly be a problem when connectivity is lost and the MQ messages are queued up until connectivity is restored. Ther ecould be tens of thousands of queued messages containing card data!

If that challenge has been met by anyone previously then I would welcome advice on how to remediate it.

Thanks.

[jbhall56]

Your MQ issue is no different than any system that batch processes transactions. Key requirements that you need meet include making sure the server(s) in question are properly hardened and secured, access to those servers is extremely limited and the data store is encrypted and only the key custodians and the necessary MQ processes have access to the encryption keys.

If you do all of this as well as meet all of the other relevant PCI requirements, then you should be compliant.

[dbergert]

Quote:

Originally Posted by sniper

This could particularly be a problem when connectivity is lost and the MQ messages are queued up until connectivity is restored. There could be tens of thousands of queued messages containing card data!

Note the veribage noted in:

Quote:

Do not store sensitive authentication data after authorization (even if encrypted)

Notice it says after authorization - what your describe, SAF (Store and Forward) from a Payment Host/Switch to the payment endpoints/Networks.

That being said you need to have controls in place to protect the data, monitor the size of the queues, and others as Jeff suggests.

[derekwh]

yes - messages that sit on a queue are at risk, but more at risk are in-flight message that can be read, copied, replaced at will due to not implementing the objects and procedures specific to MQ that enable security (MQ is wide open out of the box, and is implemented that way maybe 90% of the time in my experience, with reliance on "network perimeter security" to also protect MQ).

Derek.
IBM Certified WebSphere MQ Specialist.