Search Rocket site

The Importance of PCI DSS Vulnerability Management for z/OS

Heidi Losee

January 22, 2020

Security breaches are devastating in any industry, but credit card breaches tend to dominate the headlines. On the consumer side, think about the potential consequences if your credit card information were stolen. Now think about how much damage was caused by the theft of 64.4 million card details exposed in breaches last year.

Breaches of customer cardholder data are devastating for businesses, as well, with the repercussions resulting in fines, reputational damage, and potential lost business. That’s why the major payment card brands – Visa, MasterCard, American Express, Discover and JCB – banded together to create the Payment Card Industry Security Standards Council (PCI SSC).

The Payment Card Industry Data Security Standards (PCI DSS) were designed by the PCI SSC to create controls for merchants that store, process or transmit cardholder data on any platform. The goal is to protect all cardholder data, so PCI DSS applies to any business that accepts, transmits or stores credit card data, whether they’re a financial organization, major retailer or small business. The strict guidelines help ensure security, protecting consumers and businesses alike.

How does PCI DSS apply to the mainframe?

The global credit card industry largely relies on mainframes to function. In fact, 87 percent of the world’s credit card transactions are processed on the mainframe. That means that many organizations, even if they’re not firmly in the finance industry, must comply with PCI DSS standards.

If organizations that process credit card transactions don’t follow the regulations, they’re at risk for noncompliance fines and costly audits. But perhaps even more troubling, not complying with PCI DSS would mean those mainframes aren’t adequately protected against potential threats, leaving vast amounts of consumer financial information open to attack.

The role of vulnerability management

A key component of PCI DSS compliance is maintaining a vulnerability management program. PCI DSS requires organizations to have a process in place for identifying security vulnerabilities and assigning a risk ranking to any newly discovered vulnerabilities. Vulnerabilities can exist almost anywhere in the payment card processing ecosystem, from point-of-sale devices to web shopping applications to servers and mainframes.

Mainframe vulnerability scans can help protect against malware and ensure that you’re regularly updating antivirus software and programs. If coded improperly, system utilities, exits, and privileged programs can be exploited and bypass ESM and z/OS controls. Vulnerability scanning should go beyond the application layer to include ongoing scanning of the operating system to ensure security at all levels of the environment. In this way, organizations can maintain ongoing PCI DSS compliance and protect sensitive consumer data at the same time.

Related posts


Navigating Mainframe Performance Challenges: A Roadmap to Success

How Well Do You Know the Mainframe? Celebrating 60 Years of Mainframe Computing

Make the Most of Mainframe Security Services