The primary focus of the Payment Card Industry Data Security Standard (PCI DSS) is the protection of cardholder data. PCI DSS provides controls for cardholder data that is stored, processed, or transmitted on any platform.
The Payment Card Industry’s (PCI) Data Security Standard (DSS) requires that any business that processes credit card payments abide by a strict set of guidelines to ensure data security. So why, when 87 per cent of the world’s credit card transactions are processed on the mainframe, do PCI auditors ignore the mainframe when doing an assessment?
Even though much of PCI data is stored and maintained on mainframes, many are currently not being evaluated or scanned accurately for PCI DSS compliance. PCI vulnerability scanning and penetration testing is performed on the network and at the application level, mainly web and LAN server. The majority of penetration testers consider the mainframe out of scope.
Applying PCI standards to the mainframe presents unique challenges. Let’s dive into why PCI compliance is uniquely difficult in the context of mainframe environments.
The mainframe knowledge gap
Not having an appropriate understanding of mainframe security or believing in the long standing creed that mainframes are inherently secure are not valid reasons to ignore this environment or justify writing off the risk to cardholder data.
Applying PCI to the mainframe requires a specialized set of skills and a deep technical understanding of platforms and their security systems. Most internal security specialists, auditors, and CIOs are now coming from distributed systems expertise and not mainframe expertise. The average person coming from a distributed network background finds the complexity of the enterprise security managers on the mainframe overwhelming. Most external auditors and penetration testers don’t have a background in mainframe security and therefore don’t know how to exploit even the simplest vulnerability.
Vulnerability disclosure by vendors is inadequate
So, what does PCI DSS actually require? Any organization that deals with cardholder data must have a process to identify security vulnerabilities and assign a risk ranking to any newly discovered vulnerabilities.
Individuals responsible for PCI compliance are running up against an industry-wide problem: Mainframe patches and vulnerabilities are not widely communicated by vendors, making it hard to know what you’re protecting against.
PCI requires businesses to evaluate and rate the risks involved with vendors’ patches and security updates. But, even though vendors might provide a database of integrity and security patches to apply, there’s usually no description of what those patches will fix – there’s not enough information to accurately assign a risk ranking.
Organizations are left with a few imperfect options. They can blindly trust vendors that the patch won’t adversely impact their systems, spend valuable time regressing the code to figure out what the integrity fix actually does, or simply not apply the patch or upgrade. If updates are corrupted, they can create operational issues like lengthy downtimes, which spells disaster for the mainframe. It’s possible that organizations might ignore a security update because they’re just not sure what it’s protecting against or whether it’s worth the risk.
But, when businesses don’t apply patches or updates from vendors, the consequences can be disastrous. Hackers can exploit those vulnerabilities and steal the sensitive payment data that mainframes have been tasked with protecting. The PCI Security Standards Council advocates for rigorous patching, acknowledging that up to 80 per cent of hacking attacks could be prevented by both installing software patches and strengthening passwords.
Another challenge when it comes to maintaining PCI compliance stems from the fact that lots of CIOs don’t come from the mainframe world. Since their background is usually in distributed environments, they’re often simply not that comfortable managing the mainframe.
There’s an increasing risk of companies moving data away from the mainframe and toward less-secure systems, because it’s so challenging to stay compliant when you’re dealing with credit card information. From a compliance and vulnerability standpoint, it can be less complex for a CIO or CISO to take payment data and management to a different computing system.
That’s ultimately a mistake. Despite the challenges involved, the mainframe still is the most secure way to manage sensitive data.
“This is a platform that, if properly maintained, could provide world-class security,” PCI compliance and security expert David Gamey of Control Gap, Inc. explained in a recent interview. “Yet, many organizations are not using it for this high-value asset, which is their loss.”
The bottom line is that protection of cardholder data should not be conditionally excluded because the cardholder data environment is not fully understood. The mainframe is the most “securable” of any of the PCI platforms available today, but weak ESM implementations’, improperly managed operating system controls, and/or software coding vulnerabilities can leave a company susceptible to attack. And remember, attackers only need to be right once to spell disaster for your organization.