This question refers to these 2 x messages produced when a user enters an invalid userid  and/or an invalid password; 

NSX952 - USERID: xxxxxxx NOT DEFINED TO SECURITY SYSTEM 

N20E02 - PASSWORD IS INVALID 

Our concern is that the messages are too explanatory to a "would be attacker" trying to gain access to our systems. 

If the attacker receives PASSWORD IS INVALID , then they know the userid entered is valid.  And only the password is incorrect. 

If the attacker receives USERID NOT DEFINED , then they know it is the userid that is not known to the system.  

For both of the above messages,  are we able to change each to produce the same/simpler message, such as; 

USERID OR PASSWORD IS INVALID.  PLEASE RE-ENTER

So that we do not advise if it is specifically the userid or password that is incorrect. 

Release : 5.0

For SOLVE:ACCESS SESSION MANAGEMENT release 5.0; we have the New Security Parameter to Comply with PCI Standards.

The new LOGONMSG SXCTL security parameter lets administrators comply with Payment Card Industry Data Security Standards (PCI DSS) for incorrect login attempts. These standards specify that users who attempt to log in to a product with an incorrect password or an incorrect user name receive a generic failure message that one of these credentials is incorrect. These standards enhance security by not informing potential hackers of which credential (user name or password) is valid.

The additional parameter  'LOGONMSG PCI' to the SXCTL file.  

To implement support for this new parameter, apply PTF R093353.