New Payment Card Industry Data Security Standards (PCI DSS) went into place at the end of the June, with implications for anyone who handles cardholder data.
As a result of the new PCI requirements, organizations must update to a more secure encryption protocol – TLS v1.1 or higher.
Now is an important time for financial institutions to check on their compliance status and troubleshoot any issues.
With 90 percent of global credit card transactions processed by a mainframe, here are some issues organizations need to consider to stay PCI compliant with their mainframes.
Even though much of PCI data is stored and maintained on mainframes, many are currently not being evaluated or scanned accurately for PCI DSS compliance. Though applying PCI to the mainframe requires a specialized set of skills, protection of cardholder data should not be conditionally excluded because the environment where that data is stored is not fully understood.
In general, organizations are more vulnerable than they might think. The mainframe is the most “securable” of any of the PCI platforms available today, but weak ESM implementations, improperly managed operating system controls, and/or software coding vulnerabilities can leave a company susceptible to attack.
One of the strengths of the mainframe operating system (z/OS) is that application programs can be developed anywhere in the world and, for the most part, given similar supporting software, will run unchanged on any other system in the world.
But, in the case of software code vulnerabilities, this is also a danger. It means that vulnerabilities can be researched and developed anywhere, and the exploits can be “imported” into any company’s internal environment. So, it is not a viable risk assumption that few individuals with access to the company’s systems would have the expertise to carry out an attack.
There is a large distinction between developing an exploit and being able to execute it. In fact, the majority of software code vulnerabilities can be exploited using a CLIST or REXX Exec.
Assuming that few individuals know how to exploit mainframe vulnerabilities is simply not a good security or business decision. Remember, attackers only need to be right once to spell disaster for both you and your customers.