A data security standard recommending strong security for banks that handle credit, debit or ATM transactions through a mainframe is expected to get even tougher in the coming months. It points to a need for banks to pay more attention to PCI compliance and, some experts say, to rethink the use of mainframes for ATM and card transactions.
Late last year, the PCI Security Standards Council and ATM Industry Association jointly issued a bulletin
But though banks continue to lean on mainframes to process most transactions, including payments, experts wonder whether they are paying enough attention to this PCI recommendation. According to IBM, 44 of the top 50 banks use the IBM Z mainframe and 86% of all credit card transactions run through the Z mainframe.
PCI compliance efforts can slip past a bank security team for any number of reasons, one being the belief that the mainframe has been within PCI scope all along, another that upcoming changes will make mainframe compliance a moot point.
"A lot of organizations have historically been able to avoid this," said Chris Perry, cyber security strategist for BMC Software, a Houston-based provider of mainframe security and, as of January 2021, file integrity monitoring software through a partnership with MainTegrity, which is based in Calgary.
"The idea that 'you can’t hack a mainframe,' or 'we’re getting off the mainframe in five years so we don’t need to focus on it,' or that the mainframe is impenetrable, have all proven to be wildly popular at organizations for the past two decades," Perry said. "But the mainframe doesn’t get an automatic pass and organizations are working overtime trying to figure out how to gain and maintain compliance."
IBM has made file integrity monitoring through its ZSecure suite available to customers for more than six years, but acknowledges BMC and its updates are critical to mainframe operators.
Before the upgraded software became available, the only way to comply with PCI was to do a manual check every week to detect significant credit or debit data breaches. The banks would then have to prove they had been verifying their system had not been tampered with and that it had been checked regularly, according to Trevor Eddolls, CEO of iTech-Ed, a security consulting firm in Wiltshire, England.
"Worryingly for many mainframe sites, version 4.0 of the Data Security Standard is due out in the next year," Eddolls added. "While it may have little change in some general regulations, the enforcement and scrutiny of compensating controls like FIM software is supposed to be greatly strengthened."
PCI Security Council executives declined to say whether bank mainframes are generally PCI compliant. They say the organization establishes standards and guidance, but does not discuss specific compliance failures.
Similarly, IBM declined to address specific mainframe compliance problems, saying it was an issue that varied from bank to bank. The company said it provides the needed compliance tools, software and security measures for PCI as well as other protections.
The American Bankers Association also viewed the compliance issue as one that would differ from bank to bank, but issued a statement regarding banks' overall commitment to PCI compliance.
“Bank systems are secure because regulated financial institutions invest the time and resources needed to meet constantly-evolving requirements set both by the government and nongovernmental sectors,” the association said. “The payment system is resilient and the current standards that support it are flexible enough to allow for a number of IT environments.”
Still, this could be a case in which security officers don't realize they are not PCI compliant because the bank's mainframe is processing payment data through its own secure database management system, according to Eddolls.
"Your chief financial officer is probably signing off on the report to say our company is PCI compliant," Eddolls added. "The shocking truth is, in most cases, that isn't true."
Rather than thinking of PCI compliance as a problem for bank mainframes, companies should think about PCI compliance for all systems that actively process and store primary account numbers, said Joe Krull, senior cybersecurity analyst for Aite Group.
This is in part why the common strategy of the past several years has been for banks to consider moving some, if not a majority of, card and payment data off the mainframe and into a cloud environment to get the mainframe out of PCI scope.
"I’ve done PCI readiness work for some of the largest organizations in the world and I have never recommended to a client that their mainframes should be in scope for PCI," Krull said. "Mainframes are a strange beast and it’s both feasible and preferable to offload PCI processing and storage to more modern and flexible platforms."
A small group of mainframe security vendors are using the PCI standard to make the case that moving processing and storage off the mainframe increases risk, Krull added. "I completely disagree and I’ve touched mainframes on four continents as part of PCI work. Taking the mainframe out of scope for PCI makes compliance easier and is certainly more cost effective."
The push for cloud becoming part of network strategy is likely to increase as cyber attacks get more sophisticated and relentless.
"IBM has said it is continuing to modernize the mainframe alongside its heavily touted hybrid cloud strategy, which includes all platforms," BMC Software's Perry said. "This means IBM will support moving to the cloud or back onto the mainframe for workloads that are best served by the specific technology."
What the hybrid cloud means for large enterprises is that "the mainframe is not a legacy platform sitting in a closet that no one can touch, but actually a fully connected modern server that continues to run the core business applications of all the largest banks," Perry noted.
"This necessitates applying all the same best security practices to all systems, whether that be a classic Linux or Windows server, an Amazon Web Services instance, or the [IBM] z/OS on the mainframe," Perry added.
Companies are adopting a position of “zero trust” across the board, Tech-Ed's Eddolls noted, citing a National Institute of Standards and Technology stance this year that, in part, stated an enterprise should monitor integrity and security of all owned and associated assets in that "no asset is inherently trusted."
As more security providers point to file integrity monitoring as a key element, it only reinforces and "highlights its pivotal role in mainframe security," Eddolls said.