An information safety customary recommending sturdy safety for banks that deal with credit score, debit or ATM transactions by way of a mainframe is predicted to get even harder within the coming months. It factors to a necessity for banks to pay extra consideration to PCI compliance and, some consultants say, to rethink the usage of mainframes for ATM and card transactions.
Late final yr, the PCI Safety Requirements Council and ATM Trade Affiliation collectively issued a bulletin warning about cash-out assaults on ATMs by which fraudsters manipulated fraud detection mechanisms and stole cash from ATMs. In a weblog, the organizations really helpful that banks working ATMs by way of a mainframe use software program designed to observe any uncommon modifications in information that would point out unauthorized entry or malicious habits. Such software program is known as file integrity monitoring. File integrity monitoring grew to become a part of PCI regulation updates two years in the past to handle new wants as expertise advances.
However although banks proceed to lean on mainframes to course of most transactions, together with funds, consultants ponder whether they’re paying sufficient consideration to this PCI advice. Based on IBM, 44 of the highest 50 banks use the IBM Z mainframe and 86% of all bank card transactions run by way of the Z mainframe.
PCI compliance efforts can slip previous a financial institution safety staff for any variety of causes, one being the assumption that the mainframe has been inside PCI scope all alongside, one other that upcoming modifications will make mainframe compliance a moot level.
“Lots of organizations have traditionally been capable of keep away from this,” mentioned Chris Perry, cyber safety strategist for BMC Software program, a Houston-based supplier of mainframe safety and, as of January 2021, file integrity monitoring software program by way of a partnership with MainTegrity, which is predicated in Calgary.
“The concept ‘you may’t hack a mainframe,’ or ‘we’re getting off the mainframe in 5 years so we don’t have to concentrate on it,’ or that the mainframe is impenetrable, have all confirmed to be wildly standard at organizations for the previous twenty years,” Perry mentioned. “However the mainframe doesn’t get an computerized cross and organizations are working extra time making an attempt to determine the best way to acquire and keep compliance.”
IBM has made file integrity monitoring by way of its ZSecure suite out there to clients for greater than six years, however acknowledges BMC and its updates are vital to mainframe operators.
Earlier than the upgraded software program grew to become out there, the one method to adjust to PCI was to do a handbook test each week to detect important credit score or debit knowledge breaches. The banks would then must show they’d been verifying their system had not been tampered with and that it had been checked commonly, based on Trevor Eddolls, CEO of iTech-Ed, a safety consulting agency in Wiltshire, England.
“Worryingly for a lot of mainframe websites, model 4.0 of the Knowledge Safety Customary is due out within the subsequent yr,” Eddolls added. “Whereas it could have little change in some common laws, the enforcement and scrutiny of compensating controls like FIM software program is meant to be vastly strengthened.”
PCI Safety Council executives declined to say whether or not financial institution mainframes are typically PCI compliant. They are saying the group establishes requirements and steering, however doesn’t talk about particular compliance failures.
Equally, IBM declined to handle particular mainframe compliance issues, saying it was a problem that assorted from financial institution to financial institution. The corporate mentioned it supplies the wanted compliance instruments, software program and safety measures for PCI in addition to different protections.
The American Bankers Affiliation additionally considered the compliance concern as one that will differ from financial institution to financial institution, however issued an announcement concerning banks’ total dedication to PCI compliance.
“Financial institution methods are safe as a result of regulated monetary establishments make investments the time and assets wanted to satisfy constantly-evolving necessities set each by the federal government and nongovernmental sectors,” the affiliation mentioned. “The fee system is resilient and the present requirements that assist it are versatile sufficient to permit for plenty of IT environments.”
Nonetheless, this might be a case by which safety officers do not understand they aren’t PCI compliant as a result of the financial institution’s mainframe is processing fee knowledge by way of its personal safe database administration system, based on Eddolls.
“Your chief monetary officer might be signing off on the report back to say our firm is PCI compliant,” Eddolls added. “The surprising fact is, generally, that is not true.”
Fairly than considering of PCI compliance as an issue for financial institution mainframes, corporations ought to take into consideration PCI compliance for all methods that actively course of and retailer major account numbers, mentioned Joe Krull, senior cybersecurity analyst for Aite Group.
That is partly why the widespread technique of the previous a number of years has been for banks to contemplate transferring some, if not a majority of, card and fee knowledge off the mainframe and right into a cloud setting to get the mainframe out of PCI scope.
“I’ve carried out PCI readiness work for a few of the largest organizations on the planet and I’ve by no means really helpful to a consumer that their mainframes must be in scope for PCI,” Krull mentioned. “Mainframes are a wierd beast and it’s each possible and preferable to dump PCI processing and storage to extra trendy and versatile platforms.”
A small group of mainframe safety distributors are utilizing the PCI customary to make the case that transferring processing and storage off the mainframe will increase threat, Krull added. “I utterly disagree and I’ve touched mainframes on 4 continents as a part of PCI work. Taking the mainframe out of scope for PCI makes compliance simpler and is definitely more economical.”
The push for cloud changing into a part of community technique is more likely to improve as cyber assaults get extra refined and relentless.
“IBM has mentioned it’s persevering with to modernize the mainframe alongside its closely touted hybrid cloud technique, which incorporates all platforms,” BMC Software program’s Perry mentioned. “This implies IBM will assist transferring to the cloud or again onto the mainframe for workloads which can be greatest served by the particular expertise.”
What the hybrid cloud means for big enterprises is that “the mainframe is just not a legacy platform sitting in a closet that nobody can contact, however really a totally related trendy server that continues to run the core enterprise functions of all the biggest banks,” Perry famous.
“This necessitates making use of all the identical greatest safety practices to all methods, whether or not that be a basic Linux or Home windows server, an Amazon Net Companies occasion, or the [IBM] z/OS on the mainframe,” Perry added.
Corporations are adopting a place of “zero belief” throughout the board, Tech-Ed’s Eddolls famous, citing a Nationwide Institute of Requirements and Know-how stance this yr that, partly, acknowledged an enterprise ought to monitor integrity and safety of all owned and related belongings in that “no asset is inherently trusted.”
As extra safety suppliers level to file integrity monitoring as a key ingredient, it solely reinforces and “highlights its pivotal position in mainframe safety,” Eddolls mentioned.