PCI data security standards and the System i

Rich Loeber

The acronym "PCI" has been around for a while, but many in the System i world may think of it as a PC bus standard. But, in these days of enforced security, PCI has taken on a new definition. The PCI that I'll talk about here is the standard term for the "Payment Card Industry." That's right, we're talking here about credit and debit card processing.

It seems like not a month goes by without some new story about compromised credit card information. Stories vary, but anyone with a security background can see that these issues were all preventable. The credit card processing industry (PCI) recognizes the issue and has formed a council, the PCI Security Standards Council. This council, in turn, has started issuing standards for companies to adopt to avoid future issues. Their primary standard is known as the PCI Data Security Standard, also known as PCI DSS.

The PCI DSS contains 12 primary points for credit card processing companies to address. These points are organized into six areas of concern. As I look through these points, I can clearly see areas where the System i OS would be a very handy platform to build a secure environment for PCI processing.

Build and maintain a secure network is the first area covered. Requirement 1 calls for the implementation of a network firewall, so that leaves your System i out. Requirement 2 calls for you to NOT use vendor supplied default passwords. Any System i security officer worth their salt should already have this well in hand. If not, option #1 on the SECTOOLS menu will help.

Protect cardholder data is the next area listed, with two sub-points under it. Requirement 3: protect cardholder data, and Requirement 4: use data encryption when cardholder data is passed over public networks. Your System i has good security features in both of these areas, especially the newer OS releases that support encryption keys and secure connections. A new consideration for public exposure includes encrypting backup tapes, so keep that in mind as well.

Maintain a vulnerability management program is the third area. The two sub-points here are Requirement 5: use and regularly update anti-virus software, and Requirement 6: develop and maintain secure systems and applications. Anti-virus is not a direct feature of the OS, so this falls into the same category as the firewall, it is an outside requirement. But, developing secure systems is a real strength of the System i and the OS includes all the features that you may need.

Implement strong access control measures is the fourth area, with three sub-points. Requirement 7 calls for you to restrict access to cardholder data on a need to know basis only. Your System i's resource security will take care of this easily. Requirement 8 is to assign a unique user ID to each person with access to your computer. Again, your System i can handle this, provided you have a strong security policy in place. Requirement 9 addresses physical access to cardholder data. This is, by nature, external to your i and depends on your security policy implementation.

Regularly monitor and test networks is the fifth area, with two sub-points. Requirement 10 calls for you to track and monitor all access to network resources and cardholder data. Security audit controls on the System i can help with implementing this, but for full coverage you may also need to consider implementing exit point controls. Requirement 11 calls on you to regularly test security systems and processes. The PCI DSS procedures manual outlines a whole range of tests that can be done to validate your installation.

Maintain an information security policy is the sixth and final area, and its single focus is to do just that. A strong security policy informs company personnel of what is expected of them and what their responsibilities are for maintaining a secure environment.

The PCI Security Standards Council maintains a website where this information and more is available, including their complete procedures manual for PCI DSS. The Security Council also provides certification for security assessors and there is a self assessment tool available.

If you have any questions about this topic, you can reach me at rich@kisco.com, I'll give it my best shot. All email messages will be answered.

ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Did you find this helpful? Write to the editor about your IBM i concerns at Editor@Search400.com.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT E-commerce IBM i shop boosts online sales with RPG-based Web platform Secure your iSeries Web applications Pennsylvania gaming mulls over iSeries Vendor - IT Briefing Dynamic web enablement using RPG Document Imaging Does Your WebSphere Team Get Along? It Can with Enterprise Application Management Vendor IT Briefing EDI- Has the need outpaced the translators? UCCnet: One version of the Truth WDSC: How to build a Java Web application calling RPG Exploring IBM e-Business Software E-commerce Research Web Security New chapter and verse on Ajax security Authenticate use of Web applications via user profiles Secure your iSeries Web applications Introduction to J2EE-based WebSphere security Security services for each Web environment layer Top advice on securing your iSeries Top Security Issues for the Integrated File System (IFS) Tightening iSeries security How secure are you, really? iSeries regains top spot for secure Web transactions iSeries system and application security Developing a security incident response system for System i Setting up security for programmers on IBM i Blocking AS/400 DB2 users Trouble accessing IFS path from Win2k3 server Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.