PayThink Mainframes Are a Card Data Disaster Waiting to Happen |
New Payment Card Industry Data Security Standards PCI DSS went into place at the end of the June with implications for anyone who handles cardholder data As a result of the new PCI requirements organizations must update to a more secure encryption protocol TLS v11 or higher Now is an important time for financial institutions to check on their compliance status and troubleshoot any issues With 90 percent of global credit card transactions processed by a mainframe here are some issues organizations need to consider to stay PCI compliant with their mainframes Even though much of PCI data is stored and maintained on mainframes many are currently not being evaluated or scanned accurately for PCI DSS compliance Though applying PCI to the mainframe requires a specialized set of skills protection of cardholder data should not be conditionally excluded because the environment where that data is stored is not fully understood In general organizations are more vulnerable than they might think The mainframe is the most securable of any of the PCI platforms available today but weak ESM implementations improperly managed operating system controls and or software coding vulnerabilities can leave a company susceptible to attack One of the strengths of the mainframe operating system z OS is that application programs can be developed anywhere in the world and for the most part given similar supporting software will run unchanged on any other system in the world But in the case of software code vulnerabilities this is also a danger It means that vulnerabilities can be researched and developed anywhere and the exploits can be imported into any companys internal environment So it is not a viable risk assumption that few individuals with access to the companys systems would have the expertise to carry out an attack There is a large distinction between developing an exploit and being able to execute it In fact the majority of software code vulnerabilities can be exploited using a CLIST or REXX Exec Assuming that few individuals know how to exploit mainframe vulnerabilities is simply not a good security or business decision Remember attackers only need to be right once to spell disaster for both you and your customers