Most adults have a credit card and use it to pay for things. And with the COVID-19 pandemic, many companies are requesting credit card payments rather than cash, which, they thought, might be contaminated. Sweden is poised to become completely cashless by 2023.Â
When you use your credit card, how do you know that your information – and money – are safe? That’s where the Payment Card Industry Data Security Standard (PCI DSS) comes in. It provides an information security standard for organizations that handle branded credit cards from the major card schemes such as Visa, MasterCard, American Express, JCB International and Discover.Â
The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council (PCI SSC). These standards are designed to protect cardholder data with reasonable checks, and, over the years, it has helped in that respect. As a credit card user, I want to know that my information is safe.
The PCI SSC doesn’t penalize organizations for non-compliance directly, it’s the five payment card brands that fine people. If your organization processes over six million credit card transactions per year, then the organization will receive a visit from a Qualified Security Assessor (QSA) for an onsite assessment – called a Report on Compliance (ROC). Companies with lower credit card transaction volumes carry out a self-assessment questionnaire (SAQ).Â
If a data breach occurs, organizations can be fined from $5,000 to $100,000 per month – the amount depends on the size of the merchant’s business and the degree of non-compliance. Fines are paid by higher transaction fees or service charges.
Learn More: Mainframe Mayhem: Here’s Why Government Agencies Need to Pursue ModernizationÂ
Risks of Ignoring PCI Compliance Â
That’s all very interesting, but what has that got to do with mainframes? According to IBMOpens a new window , 87% of all credit card transactions are processed on a mainframe. And, probably, most of those are processed by IMS (Information Management System) – a mainframe transaction processing and database system. Your Chief Financial Officer is probably signing off the report to say that your company is PCI compliant. The shocking truth is, in most cases, that isn’t true!
Soon moving to Version 4, the real problem with PCI compliance for mainframers started in 2018 with Version 3.2. There were two new requirements, Sections 10.5 and 11.5, which require file integrity checking for executables, configuration parameters, and log files on a regular basis. Compliance with these sections is evidentiary, so mainframe sites have to prove that they have been checking the required components regularly.Â
Until very recently, the only way to comply was a manual check – every week. Bear in mind that these new requirements aim to prevent and/or detect significant credit and debit data breaches. However, the result is that mainframe sites need to prove that they have been verifying their system has not been tampered with – and that verification has occurred regularly.
Learn More: Mainframes Aren’t BoringÂ
Why File Integrity Monitoring (FIM) Is the Future
Non-mainframe platforms that carry out credit card transactions probably use file integrity monitoring software, but, until recently, no such software has been available on mainframes. File integrity monitoring software can alert appropriate personnel when an unauthorized modification (including changes, additions, and deletions) occurs to a critical system file, configuration file, or content files. In addition, the software can be configured to perform critical file comparisons at least weekly. The software also allows the implementation of a process to respond to any alerts generated by the change-detection solution.
In early October, the PCI Security Standards Council (PCI SSC) and the ATM Industry Association (ATMIA) issued a joint bulletin to highlight a threat called an ATM cash-out attack. This attack involves criminals breaching a bank or payment card processor and manipulating fraud detection controls as well as altering customer accounts so there are no limits to money withdrawals from numerous ATMs in a short period of time. It seems that criminals often manipulate balances and withdrawal limits to allow ATM withdrawals until ATM machines are empty of cash.Â
The bulletin suggests that financial institutions, and payment processors are most at financial risk and likely to be the target of these large-scale, coordinated attacks. It goes on to say that these institutions stand to potentially lose millions of dollars in a very short time period and can have exposure in multiple regions around the world as the result of this highly organized, well-orchestrated criminal attack. And, included amongst their best practices to detect this kind of attack is 24/7 monitoring capabilities including file integrity monitoring systems (FIMs). With so many ATMs linked to IMS running on mainframes, this clearly highlights the need for FIM software to run on the mainframe.
How FIM Bridges the Mainframe Security Gap
Many people assume that their mainframe is secure and no-one ever gets hacked, but that’s not the case. In 2017, there was the attack on Equifax, where hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people. Back in 2013, Gottfrid Svartholm Warg was charged with hacking Logica, a Swedish IT firm that provided tax services to the Swedish government and the Swedish Nordea bank, both mainframe users. So, mainframe hacks aren’t new and aren’t as rare as some people think.
The 2020 Cost of a Data Breach Report conducted by Ponemon of over 500 data breaches and analyzed and published by IBM found that the global average total cost of a data breachOpens a new window was $3.86 million. This figure varied in different parts of the world and, worryingly, peaked at $8.64 million in the USA, with healthcare showing the highest average breach costs at $7.13 million.Â
Perhaps the biggest surprise is how long it takes organizations to recognize they have been breached and contain the breach. The average figure is 280 days – and you can imagine what a hacker can be doing inside your organization in that time. Again, a clear indication that software to identify unauthorized changes, additions, and deletions to files (i.e., file integrity monitoring software) is long overdue.
What exactly does FIM software do for your mainframe: Firstly, it can keep your PCI auditors happy because, like them, it can check that the software in use is the correct version and release – the one that has had the latest security patches added to it. And, FIM products can produce evidence that these checks have been carried out successfully.
How do FIM systems work: It takes a snapshot of an application or configuration file and later (weekly, hourly, or whatever time interval is required) compares that snapshot with the current state of the application or configuration file. If they are different, then an alert can be sent to appropriate staff. The first snapshot has to be carried out when the files are assumed to have been unhacked – perhaps straight after QA testing. The snapshot uses a hashing algorithm, and the results are stored in a virtual vault – so that hackers can’t modify those as well as the file under attack.
 Secure mainframe environments with regular scanning: FIM tools allow regular scans to be carried out. This, as mentioned above, might be weekly, daily, or even hourly for some very sensitive files. In addition, scans can be carried out on an ad hoc basis. This will detect any changes that have been made to files, particularly where required for PCI compliance.
Tackle security challenges with FIM software: As the Ponemon report highlights, many sites are finding the detection of a breach to be a real challenge. The extended length of time taken (280 days) is almost certainly due to the manual nature of the task. Using a FIM tool means that the breach can be detected and reported the next time a scan on the affected file is run. The alert, highlighting what’s been changed, can be sent as an email to a responsible person or to a SIEM (Security Information and Event Management) console, or both. The organization affected can then take the appropriate steps to deal with the breach – and this will be so much sooner than without having the FIM software installed.
Manage PCI Compliance effectively: One problem with identifying every change made to a file is that a lot of those changes will be planned, some may be the result of an older version of software being used, and hopefully, only a small percentage of the changes identified will be malicious. To avoid being inundated with false positive alerts, the FIM software should be able to check with authorization tools like ServiceNow, Remedy, etc., whether those changes were planned. It should also be able to tell whether the software in use is an old version rather than a hacked version. And it could do this by storing multiple snapshots of trusted versions of code in its vault. So, all alerts should be genuine alerts ensuring the incident response team responds appropriately and quickly – and ensuring the organization stays PCI-compliant.
Learn More: The Problem With Mainframe PasswordsÂ
Bring Modern Threat Detection Capabilities to Mainframe
FIM tools often include the ability to do a quick scan. While the full scan creates a new hash code every time it is run, a quick scan compares the metadata for a file and detects any differences between the trusted and current operating component. The quick scan can be used to provide security throughout the applications even during busy periods with minimal additional overhead. If this quick scan fails for any reason, a more focused scan is immediately invoked to pinpoint the invalid components.
Further, FIM can identify the interval in which the alteration took place. The time that an unsanctioned version of a component was implemented will have occurred between the time the last scan produced an ‘all OK’ result and the scan that detected the breach. This can be extremely useful information.
Basically, using FIM software on your mainframe will not only ensure that your mainframe is PCI-compliantOpens a new window , it can also enhance the overall security of your mainframe. And you’ll know that your credit card payments are completely secure, your CFO is happy, and auditors can tick the boxes that you are complying with all the latest regulations.
 Do you think file integrity monitoring software is the best way to protect data on the mainframe? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!