By
Ray Overby, Key Resources
Chances are, as a retailer, you
rely on the mainframe to power your business. As many as 23
of the world’s top 25 retailers use the mainframe to make sure they
can provide their customers with the personalized service today’s consumer
craves. z13 is capable of processing 2.5
billion transactions per day, which is the equivalent of roughly 100
Cyber Mondays.
Retail transactions — often
involving credit cards — require secure processing. That’s one of the
mainframe’s strong suits, and why 87%
of the world’s credit card transactions are processed on the platform.
Advertisement
As important as the mainframe is to
retail, the security and maintenance of those mainframes is often overlooked.
That includes staying compliant with all manner of regulations designed to
protect both your business and your customers.
Any retailer processing cardholder
data has to make sure IT systems are compliant with the Payment Card Industry’s
(PCI) Data Security Standards (DSS), for example. PCI DSS is designed to
protect any cardholder data that is store, processed or transmitted on any
platform, and it requires organizations to establish a process to identify
security vulnerabilities and assign a risk ranking to any newly discovered
vulnerabilities.
Compliance with these complex
regulations is often easier said than done, and the retail industry is no
exception to this challenge.
A recent survey shows that even
though most retailers want their PCI compliance rate to be higher than 70%,
many small
merchants are struggling with PCI compliance and programs. Some
don’t understand the need for compliance, some don’t know how to start a PCI
program, and some don’t have the time, resources, or funds to dedicate. Worse
still, there are merchants who don’t even know they need to engage with PCI
DSS.
PCI DSS is a complicated regulation
on any system. There are unique complexities involved when trying to stay compliant
on mainframes. Let’s take a look at some specific PCI requirements and how they
can be applied to z/OS systems.
1. “Develop
and maintain secure systems and applications.”
Complying with PCI DSS means making
sure that your systems are secure at every level. That includes checking for
vulnerabilities, not just at the application level but at the operating system
level as well. System integrity and secure coding standards are not new to
z/OS. Retailers need to perform vulnerability scans as part of their standard
Q/A process to make sure the integrity of the system is not compromised by
integrity vulnerabilities.
2. “Do not use vendor-supplied defaults for
system passwords and other security parameters.”
All mainframe system software comes
with vendor-supplied defaults for z/OS, ESM products, databases, job
schedulers, OLTPs, etc. Resist the temptation to assume that those
vendor-supplied defaults are good enough for your business. Automated
configuration reviews can be performed to validate that defaults have been
removed.
3. “Protect
all systems against malware and regularly update antivirus software or
programs.”
It is a known fact that system
utilities, exits and privileged programs, if coded improperly, can be exploited
and bypass ESM and z/OS controls. Mainframe vulnerability scans will help
businesses locate those potential vulnerabilities, so you can be better
protected against malware.
4. “Restrict access to cardholder data by
business need-to-know.”
The principle of least privilege
has been an important mainframe term since the 1970s. The fewer people who have
access to sensitive data, the less risk involved. Automated configuration
reviews can be performed to ensure that access controls are following the
company’s security policy.
The mainframe is the most
“securable” of any of the PCI platforms available today, but any number of
things, like improperly managed operating system controls or software coding vulnerabilities
can leave a company susceptible to attack. Remember, attackers only need to be
right once to spell disaster for both you and your customers.
Ray
Overby is a Co-Founder and President of Key
Resources, Inc., (KRI), a software and security services firm specializing
in mainframe security. A recognized world authority in mainframe security, risk
and compliance for IBM z System environments, Overby heads the KRI technical
team. Drawing on his more than 30+ years’ of experience in z Systems, in both
hands-on technical development and strategic roles, Overby’s multidimensional
and solutions-driven approach assures he is highly valued by clients and third
party technology partners, and he is much in demand as a speaker.