Administrator > Security

Credit-Card Security with Mainframes

Ensure online transaction safety with z/OS's inherent security features

It's that time again - the holiday shopping season. Shoppers are ready to use their plastic for online purchases in record numbers, secure in the knowledge that their issuing banks and retailers are protecting their personal information, thanks to the Payment Card Industry Data Security Standard (PCI DSS) - and thanks to the mainframes behind many of these transactions.

Maybe the average shopper isn't aware of PCI DSS or the mainframe's role in the standard. Behind each card swipe retailers and banks are driven to ensure compliance to this standard. But those that have been prioritizing security as a business requirement are well positioned to respond to PCI DSS audits, particularly if they have been using the security features provided in the IBM* System z* platform. Read more about PCI DSS in "Protecting Confidential Data With Payment Card Industry Compliance".

Like the PCI DSS, the System z platform was designed from the beginning to protect data and applications from getting into the wrong hands. While most distributed architectures address security issues with a "separation of servers" philosophy, the mainframe addresses security with a "centralization of data" view.

When it comes to PCI DSS audits - or other business-motivated auditing controls - the mainframe can provide the security processes and policy controls that auditors are looking for. The most important features the mainframe provides include:

1. Allow customers to limit the retention and flow of sensitive data by using the mainframe as a highly secure data hub
2. Security features for virtualized server
3. Encrypt sensitive data as it crosses the network
4. Protect encryption keys
5. Provide strong audit controls and tracking
6. Provide well-known security configurations that achieve or surpass the industry standard

Secure Data Hub

One sure way to limit breach exposures is to minimize the retention points and flow of data. The adage "less is more" has been a good guideline for auditors. The mainframe, when used as a secure central hub for Personal Identifiable Information and Personal Account Number (PAN) data, can simplify the audit challenge of having to prove compliance on tens or hundreds of distributed systems. The mainframe was designed to support business when constrained resources demanded that applications share compute resources safely. Isolation and control were key design points as applications had to be isolated from each other. This underlies the System z platform's exceptional systems integrity and contrasts with other platforms that weren't designed to prevent conflict.

The System z platform is inherently resistant to hacking and information theft because of the controls built into its hardware microcode to support process isolation and data integrity. Due to the tight integration between the hardware and z/OS*, executable instructions are treated separately, providing additional resistance to buffer overflow attacks. Applications must go through a z/OS control point such as RACF* to access resources, and RACF and z/OS can document the request, providing auditing and charge-back capabilities.

Auditors can be shown the z/OS integrity statement to help demonstrate the mainframe's unique security focus on data integrity and system exposures. First issued in 1973, IBM's mainframe integrity statements have stood for more than three decades as a symbol of IBM's confidence in and commitment to z/OS. z/OS features prevent unauthorized users and applications from gaining access, circumventing, disabling or obtaining control of key z/OS system processes and resources. More information can be found online.

Next page: >>