Manage Learn to apply best practices and optimize your operations.

PCI data security standards and the System i

The System i OS can be a very handy platform to build a secure environment for PCI processing. But the first step to acheiving PCI DSS compliance is knowing what is required. Rich Loeber goes through the requirements and explains what aspects of AS/400 security implementation can help with attaining PCI compliance on the system.

Rich Loeber

The acronym "PCI" has been around for a while, but many in the System i world may think of it as a PC bus standard....

But, in these days of enforced security, PCI has taken on a new definition. The PCI that I'll talk about here is the standard term for the "Payment Card Industry." That's right, we're talking here about credit and debit card processing.

It seems like not a month goes by without some new story about compromised credit card information. Stories vary, but anyone with a security background can see that these issues were all preventable. The credit card processing industry (PCI) recognizes the issue and has formed a council, the PCI Security Standards Council. This council, in turn, has started issuing standards for companies to adopt to avoid future issues. Their primary standard is known as the PCI Data Security Standard, also known as PCI DSS.

The PCI DSS contains 12 primary points for credit card processing companies to address. These points are organized into six areas of concern. As I look through these points, I can clearly see areas where the System i OS would be a very handy platform to build a secure environment for PCI processing.

Build and maintain a secure network is the first area covered. Requirement 1 calls for the implementation of a network firewall, so that leaves your System i out. Requirement 2 calls for you to NOT use vendor supplied default passwords. Any System i security officer worth their salt should already have this well in hand. If not, option #1 on the SECTOOLS menu will help.

Protect cardholder data is the next area listed, with two sub-points under it. Requirement 3: protect cardholder data, and Requirement 4: use data encryption when cardholder data is passed over public networks. Your System i has good security features in both of these areas, especially the newer OS releases that support encryption keys and secure connections. A new consideration for public exposure includes encrypting backup tapes, so keep that in mind as well.

Maintain a vulnerability management program is the third area. The two sub-points here are Requirement 5: use and regularly update anti-virus software, and Requirement 6: develop and maintain secure systems and applications. Anti-virus is not a direct feature of the OS, so this falls into the same category as the firewall, it is an outside requirement. But, developing secure systems is a real strength of the System i and the OS includes all the features that you may need.

Implement strong access control measures is the fourth area, with three sub-points. Requirement 7 calls for you to restrict access to cardholder data on a need to know basis only. Your System i's resource security will take care of this easily. Requirement 8 is to assign a unique user ID to each person with access to your computer. Again, your System i can handle this, provided you have a strong security policy in place. Requirement 9 addresses physical access to cardholder data. This is, by nature, external to your i and depends on your security policy implementation.

Regularly monitor and test networks is the fifth area, with two sub-points. Requirement 10 calls for you to track and monitor all access to network resources and cardholder data. Security audit controls on the System i can help with implementing this, but for full coverage you may also need to consider implementing exit point controls. Requirement 11 calls on you to regularly test security systems and processes. The PCI DSS procedures manual outlines a whole range of tests that can be done to validate your installation.

Maintain an information security policy is the sixth and final area, and its single focus is to do just that. A strong security policy informs company personnel of what is expected of them and what their responsibilities are for maintaining a secure environment.

The PCI Security Standards Council maintains a website where this information and more is available, including their complete procedures manual for PCI DSS. The Security Council also provides certification for security assessors and there is a self assessment tool available.

If you have any questions about this topic, you can reach me at, I'll give it my best shot. All email messages will be answered.

ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Did you find this helpful? Write to the editor about your IBM i concerns at

This was last published in March 2009

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.