According to IBM: As of 2016, all 65 of the world’s largest banks use mainframes to process and store PCI; 70% of the world’s corporate data is still managed by mainframes; and two-thirds of all U.S. banks’ business transactions run on mainframes.
The PCI DSS Standard
The primary focus of the Payment Card Industry Data Security Standard (PCI DSS) is the protection of cardholder data. PCI DSS is a set of required controls for cardholder data that is stored, processed or transmitted on any platform. Unfortunately, even though the majority of PCI data is stored and maintained on mainframes many are currently not being evaluated or scanned accurately for PCI DSS compliance.
The mainframe is the most “securable” of any of the PCI platforms available today, but weak ESM implementations’, improperly managed operating system controls, and/or software coding vulnerabilities can leave a company susceptible to attack.
In the case of software code vulnerabilities, this is a danger because it means that vulnerabilities can be researched and developed anywhere and the exploits can be “imported” into any mainframe environment. Therefore, it is not a viable risk assumption that few individuals’ with access to the mainframe operating environment would have the expertise to carry out an attack. There is a large distinction between developing an exploit and being able to execute it. In fact, the majority of software code vulnerabilities can be exploited using a CLIST or REXX Exec. Assuming few individuals know how to exploit mainframe vulnerabilities is unwise and portends negative results.
Following is a list of pertinent PCI DSS requirements and how they should be applied to mainframes, ESM’s, and z\OS subsystems within the cardholder data environment.