PCI compliance involves, amongst other things, encrypting PAN information, e.g. credit card numbers, using 'strong encryption', e.g TDES. Coded CICS programs to make ICSF calls (CSFENC and CSFDEC) to encrypt and decrypt data using secure keys. We hit a little bit of a glitch earlier this week (courtesy of IBM) in securing access to the ability to decrypt data. IBM provide (as part of ICSF) a CICS task related user exit (ICSF-CICS Attachment Facility) so that the calls to CSFENC and CSFDEC don't put the CICS address space into an OS wait; instead the calling transaction is put into a CICS wait. However we found out that when this TRUE is used the security context for authorisation to issue CSFDEC (and any other ISCF call) is the CICS address space user ID rather than the signed on user invoking the transaction issuing the ISCF call. I raised this with IBM - passed this onto the ICSF developers and some CICS and RACF developers. Response was that it is working as designed! There was an agreement that it is a bit crap and they may change this (but don't hold your breath!). The suggestions were use asis, write your own TRUE, or build some security into the appl. using EXEC CICS QUERY SECURITY. We have done the latter.
0 comments on ICSF calls from CICS