Complying with the PCI standard is a normal part of doing business in today’s credit-centric world. But, PCI applies to multiple platforms.
The challenge becomes how to map the general PCI requirements to a specific platform, such as IBM i. And, more importantly, how can you maintain—and prove—compliance?
This slideshow will help you understand:
- How PCI requirements relate to IBM i systems
- IBM i-specific barriers to compliance
-How PowerTech security solutions help you fulfill PCI requirements, meet compliance guidelines, and satisfy auditors
You’ll have the knowledge and confidence you need to evaluate PCI compliance requirements and prepare your IBM i system for today’s regulatory challenges.
2. An Introduction to PCI Compliance on IBM Power Systems
AGENDA
• Introductions
• Overview of PCI
• The 12 Requirements
• How HelpSystems Can Help
• Q&A
3. An Introduction to PCI Compliance on IBM Power Systems
YOUR PRESENTER
Robin Tatam, CBCA CISM
Director of Security Technologies,
HelpSystems
+1 952-563-2768
robin.tatam@helpsystems.com
4. An Introduction to PCI Compliance on IBM Power Systems
ABOUT HELPSYSTEMS’ SECURITY INVESTMENT
• Expansive Multi-Platform Software Portfolio.
• Comprehensive Professional Services.
• World-Class Security Experts:
– Robin Tatam, CISM
– Carol Woodbury, CRISC
• Member of PCI Security Standards Council.
• Authorized by NASBA to Issue CPE Credits for Security Education.
• Publisher of the Annual “State of IBM i Security” Report.
5. An Introduction to PCI Compliance on IBM Power Systems
AGENDA
• Introductions
• Overview of PCI
• The 12 Requirements
• How HelpSystems Can Help
• Q&A
6. An Introduction to PCI Compliance on IBM Power Systems
OVERVIEW OF PCI
• What Is PCI DSS?
– Payment Card Industry (PCI) Data Security Standard (DSS)
• Developed to encourage and enhance cardholder data security
• Facilitates the broad adoption of consistent data security measures globally
– PCI DSS Requirements & Security Assessment Procedures
• Uses the 12 PCI DSS requirements as its foundation
• Combines them with corresponding testing procedures
– Designed for use by assessors conducting onsite reviews for:
• Merchants
• Service providers
7. An Introduction to PCI Compliance on IBM Power Systems
WHO MUST COMPLY WITH PCI DSS?
• Each card-issuing brand has its own set of validation and
reporting requirements:
– Any entity that stores, processes, and/or transmits cardholder
data must comply with PCI DSS
– Entities may include but are not limited to:
• Merchants
• Service provider
• Small companies complete a self-assessment questionnaire
(SAQ) while larger companies must pass an audit by a
Qualified Security Assessor (QSA)
8. An Introduction to PCI Compliance on IBM Power Systems
PCI = 3-YEAR LIFECYLCE
ADDITIONAL
KEY DATES
Best practices
for v3 became
requirements
June 2015
MAY-JULY
NOVEMBER
JANUARY 1
ALL YEAR
NOVEMBER
DECEMBER 31
APRIL-AUGUST
NOVEMBER-APRIL
9. An Introduction to PCI Compliance on IBM Power Systems
MORE CLARITY AND GUIDANCE
10. An Introduction to PCI Compliance on IBM Power Systems
ASSESSING RISK FROM INSIDE
• PCI 2.x required only external vulnerability assessments
– Quarterly scans
– Easily provided by outside vendors
• PCI 3.0 requires external and internal vulnerability assessments
– Still quarterly scans—for now
– Not easy for outside vendors to do
(e.g., requires VPN or hardware agent)
– What will internal assessment find?
• PCI 3.2 requires Two-Factor Authentication
(2FA) for administrators
HelpSystems can help! 3.0
2.0
11. An Introduction to PCI Compliance on IBM Power Systems
INTRINSIC CONTROLS
• IBM supplies numerous security components, but few tools
– User profiles
– Object authorities
– Message queues
– QAUDJRN
– System values
– Dedicated Security Tools (DST)
– Exit points
– Database triggers
– SNMP, SSH, SFTP, SCP, SSL, TLS
• Verify that you both document how these are employed in
PCI compliance and that they are still effective
12. An Introduction to PCI Compliance on IBM Power Systems
AGENDA
• Introductions
• Overview of PCI
• The 12 Requirements
• How HelpSystems Can Help
• Q&A
13. An Introduction to PCI Compliance on IBM Power Systems
THE 12 REQUIREMENTS OF PCI DSS
Build and Maintain a
Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain Vulnerability
Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access
Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and
Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information
Security Policy
12. Maintain a policy that addresses information security for all personnel
www.pcisecuritystandards.org
Control objectives PCI DSS requirements
14. An Introduction to PCI Compliance on IBM Power Systems
AGENDA
• Introductions
• Overview of PCI
• The 12 Requirements
• How HelpSystems Help
• Q&A
15. An Introduction to PCI Compliance on IBM Power Systems
COMPREHENSIVE SOLUTION SUITE
16. An Introduction to PCI Compliance on IBM Power Systems
COMPREHENSIVE SOLUTION SUITE
17. An Introduction to PCI Compliance on IBM Power Systems
OPTION 1 – IBM i SECURITY SCAN
Main categories of review, inc. admin profiles, public authority, system values,
exit points, anti-virus, user activities, auditing
Completes in under 5 minutes
Includes executive summary
Accompanied by live review and Q&A
Personalized recommendations
7-day grace period
FREE!
18. An Introduction to PCI Compliance on IBM Power Systems
OPTION 2 – HELPSYSTEMS RISK ASSESSMENT
System values
Object authorities
TCP/IP configuration
Objects that adopt authority
User profiles
Application security models
Authorization lists
… And much more!
Deep analysis of 100+ risk points, with expert oversight
19. An Introduction to PCI Compliance on IBM Power Systems
COMPREHENSIVE SOLUTION SUITE
HelpSystems Security Services
20. An Introduction to PCI Compliance on IBM Power Systems
HOW HELPSYSTEMS CAN HELP
• HelpSystems solutions and services can be used
to help comply with one or more PCI requirements
• We’ve already mapped each PCI requirement to the
applicable security solution and its features in our
guide to “PCI 3.0 Compliance for Power Systems Running IBM i”
www.helpsystems.com -> Resources -> View All Resources -> search on ‘PCI’
or
https://www.helpsystems.com/resources/p/keywords/pci
21. An Introduction to PCI Compliance on IBM Power Systems
INTERNAL ACCESS CONTROL
22. An Introduction to PCI Compliance on IBM Power Systems
INTERNAL ACCESS CONTROL
Requirement 7:
Requirement 3:
Requirement 1:
Closing back doors even in the
presence of perimeter firewalls.
Encrypt data at rest to ensure data
is meaningless when accessed
outside of approved applications
Grant network access to data to only
those users with a demonstrated need.
All others are excluded by default.
Install and maintain a firewall
configuration to protect cardholder data.
Protect stored cardholder data.
(Encryption)
Restrict access to cardholder data by
business need-to-know.
23. An Introduction to PCI Compliance on IBM Power Systems
INTERNAL ACCESS CONTROL
Requirement 11:
Requirement 10:
Audits and reports on network-initiated
events.
Manages and audits network access to
critical files.
Track and monitor all access to network
resources and cardholder data.
Regularly test security systems and
processes.
24. An Introduction to PCI Compliance on IBM Power Systems
FIREWALL FOR IBM i
Access Control & Alerting
SECURES ACCESS FROM:
Manage access to
critical data through
exit points;
comprehensive
reporting provides
an audit trail
FTP
ODBC
JDBC
SQL
Remote
Command
25. An Introduction to PCI Compliance on IBM Power Systems
SECURE BACK DOORS, EVEN WITH FIREWALL PRESENT
EMPLOYEES
CUSTOMERS
REMOTE
EMPLOYEES
Menu Access Only
Menu Access Only
No visibility to
network activity
No control of
network activity
No security
monitoring
26. An Introduction to PCI Compliance on IBM Power Systems
ALLOW ACCESS TO USERS
WITH A DEMONSTRATED NEED
27. An Introduction to PCI Compliance on IBM Power Systems
AUDIT AND REPORT ON
NETWORK-INITIATED EVENTS
28. An Introduction to PCI Compliance on IBM Power Systems
ALLOW ACCESS TO USERS
WITH A DEMONSTRATED NEED
29. An Introduction to PCI Compliance on IBM Power Systems
Crypto Completetm
Through Authorization Lists, users can be
granted access to the fully decrypted field
values, restricted to the masked values or
can be completely denied access.
Key Management
Security Controls
Audit Logs & Alerts
FieldProc Programs
Key Rotation
Policy Settings for PCI
IBM i based
data at rest
encryption
DATA ENCRYPTION AND KEY MANAGEMENT
30. An Introduction to PCI Compliance on IBM Power Systems
REAL-TIME SECURITY
REPORTING
31. An Introduction to PCI Compliance on IBM Power Systems
REAL-TIME SECURITY REPORTING
Requirement 10:
Track and monitor all access
to network resources and
cardholder data.
Regularly test security systems
and processes.
Parses the complex IBM i audit
journal data into a simple-to-read
event, and exports security-related
events to a SYSLOG format that can
be read by many Security
Information Management solutions.
32. An Introduction to PCI Compliance on IBM Power Systems
REAL-TIME EVENT ESCALATION AND NOTIFICATION
NETWORK SECURITY
AUTHORITY BROKER
CRITICAL OS MESSAGES
(QSYSOPR / QSYSMSG)
SECURITY AUDIT JOURNAL
(QAUDJRN)
Monitoring of Apache Web Logs
ArcSight CEF certified Compliance
33. An Introduction to PCI Compliance on IBM Power Systems
SIEM: DISPARATE LOGS INTO UNIFIED VIEW
34. An Introduction to PCI Compliance on IBM Power Systems
SIEM: DISPARATE LOGS INTO UNIFIED VIEW
35. An Introduction to PCI Compliance on IBM Power Systems
EVENT FILTERING OPTIONS
36. An Introduction to PCI Compliance on IBM Power Systems
NATIVE VIRUS DETECTION
37. An Introduction to PCI Compliance on IBM Power Systems
ADVANCED NATIVE VIRUS DETECTION
Requirement 5:
Use and regularly update anti-virus
software or programs.
Native virus protection for your
Power Systems servers running
IBM i, and should be considered a
requirement for any server that uses
the Integrated File System (IFS).
In addition to IBM i, StandGuard
Anti-Virus supports AIX on Power, as
well as Linux and Domino, extending
the investment even further.
Powered by McAfee (Intel).
38. An Introduction to PCI Compliance on IBM Power Systems
NATIVE VIRUS DETECTION AND PROTECTION
39. An Introduction to PCI Compliance on IBM Power Systems
NATIVE VIRUS DETECTION AND PROTECTION
40. An Introduction to PCI Compliance on IBM Power Systems
NATIVE ANTI-VIRUS PROTECTION FOR THE IFS
41. An Introduction to PCI Compliance on IBM Power Systems
NATIVE ANTI-VIRUS PROTECTION FOR THE IFS
43. An Introduction to PCI Compliance on IBM Power Systems
MAKE THAT 248,095 VIRUSES FOUND!
44. An Introduction to PCI Compliance on IBM Power Systems
CUSTOM AUDITING
AND REPORTING
45. An Introduction to PCI Compliance on IBM Power Systems
CUSTOM AUDITING AND REPORTING
Requirement 10:
Requirement 8:
Requirement 2:
“User Profiles with Default Passwords,”
which includes a predefined filter
specifically for IBM system profiles.
Comprehensive reporting on user
profiles.
Comprehensive audit reporting.
Do not use vendor-supplied defaults for
system passwords and other security
parameters.
Assign a unique ID to each person with
computer access.
Track and monitor all access to network
resources and cardholder data.
46. An Introduction to PCI Compliance on IBM Power Systems
CUSTOM AUDITING AND REPORTING
Requirement 12:
Requirement 11:
If IBM i auditing is turned on,
Compliance Monitor provides full audit
reporting over all object access,
including object reads, changes,
deletes, and moves. The reports can be
filtered by objects and users.
• Your Information Security Policy should
specifically address your IBM i systems.
• A comprehensive Compliance Guide is
included within Compliance Monitor.
• Scorecards can compare security
configuration against an IBM i-specific
policy.
• Open source Security Policy.
Regularly test security systems and
processes.
Maintain a policy that addresses
information security for all personnel.
47. An Introduction to PCI Compliance on IBM Power Systems
CONFIGURATION AUDITING AND EVENT FORENSICS
BROWSER IBM i CONSOLIDATOR IBM i ENDPOINTS
Report display
Audit data and report
settings are stored here Systems to audit
48. An Introduction to PCI Compliance on IBM Power Systems
CONFIGURATION AUDITING AND EVENT FORENSICS
COMPRESS QAUDJRN STORAGE COMPLIANCE REGULATIONS
GRAPHICAL SCORECARD REPORTS CONSOLIDATED REPORTING
49. An Introduction to PCI Compliance on IBM Power Systems
PCI REPORT GROUP – OUT OF THE BOX
50. An Introduction to PCI Compliance on IBM Power Systems
USER PROFILES WITH DEFAULT PASSWORDS
Filter, sort, and export
51. An Introduction to PCI Compliance on IBM Power Systems
VENDOR-SUPPLIED PROFILES - FILTER
52. An Introduction to PCI Compliance on IBM Power Systems
QAUDJRN REPORTING MADE EASY
54. An Introduction to PCI Compliance on IBM Power Systems
MANAGEMENT OF
PRIVILEGED USERS
55. An Introduction to PCI Compliance on IBM Power Systems
MANAGEMENT OF PRIVILEGED USERS
Requirement 7:
Requirement 6.4:
Monitors and controls who can make
changes to system components through
powerful user profiles and special
authorities. Controls the elevation to
privileged user profiles and maintains
an audit log of user activities.
Audits and controls the access that
users have to sensitive data through
the special and private authorities
associated with their user profile.
Follow change control processes and
procedures for all changes to system
components.
Restrict access to cardholder data by
business need-to-know.
56. An Introduction to PCI Compliance on IBM Power Systems
MANAGEMENT OF PRIVILEGED USERS
Requirement 10.1:
Enables the elevation of privileges while
maintaining a detailed audit log of user
activities. Logs are tied to the
originating user.
Establish a process for linking all access
to system components (especially those
done with administrative privileges such
as root) to an individual user.
57. An Introduction to PCI Compliance on IBM Power Systems
POWERFUL USER ACCOUNT MANAGEMENT
AND REPORTING
User profile lacks
necessary authority
Switch profile
request submitted
Authority
increased
COMPREHENSIVE REPORTING
PROFILE SWAP ALERT
SEPARATION OF DUTIES
COMPREHENSIVE REPORTING
PROFILE SWAP ALERT
SEPARATION OF DUTIES
58. An Introduction to PCI Compliance on IBM Power Systems
CONTROLS THE ELEVATION OF USER PROFILES
59. An Introduction to PCI Compliance on IBM Power Systems
DETAILED COMMAND LOG – TIED TO ORIGINAL USER
60. An Introduction to PCI Compliance on IBM Power Systems
DETAILED AUDIT LOG – INCLUDES SCREEN CAPTURE
61. An Introduction to PCI Compliance on IBM Power Systems
REAL-TIME
DATABASE MONITORING
62. An Introduction to PCI Compliance on IBM Power Systems
REAL-TIME DATABASE MONITORING
Requirement 7.2:
Requirement 3:
Monitors database access in real time at
the record and field level. Powerful
workflow capabilities provide
notification, authorization, and
reporting capabilities for regulatory
compliance.
Protect stored cardholder data. Monitor
all critical database files.
Establish a mechanism for systems with
multiple users that restricts access based
on a user’s need to know, and is set to
“deny all” unless specifically allowed.
63. An Introduction to PCI Compliance on IBM Power Systems
REAL-TIME DATABASE MONITORING
Requirement 10.2.1:
Requirement 10.2:
DataThread real-time reporting and
notification of access to critical files.
Implement automated audit trails to
reconstruct the following events for all
system components:
All individual user accesses to
cardholder data.
64. An Introduction to PCI Compliance on IBM Power Systems
REAL-TIME DATABASE MONITORING
DATABASE CHANGE FAST ANALYSIS/
ACTION
AUDIT REPORTS
WORKFLOW
REQUIREMENTS
SECURE HISTORY
AUTOMATIC ALERTS
ELECTRONIC
SIGNATURES
65. An Introduction to PCI Compliance on IBM Power Systems
DATABASE MONITORING – BEFORE AND AFTER
66. An Introduction to PCI Compliance on IBM Power Systems
WORKFLOW PROVIDES NOTIFICATION/AUTHORIZATION
67. An Introduction to PCI Compliance on IBM Power Systems
AGENDA
• Introductions
• Overview of PCI
• The 12 Requirements
• How HelpSystems Can Help
• Q&A
69. An Introduction to PCI Compliance on IBM Power Systems
info@helpsystems.com
Thanks for your time!
Please visit www.helpsystems.com to access:
• Demonstration videos and trial downloads
• Product information datasheets
• PCI guide and related articles
• Customer success stories
• To schedule your FREE Security Scan
www.helpsystems.com(800) 328-1000