1

Payment Card Industry (PCI) Data Security Standards (DSS)

Challenges and Issues for zSeries Systems

Vanguard Integrity Professionals

www.go2vanguard.com

October 2012

2

The PCI Data Security Standards apply to any company that transmits, processes or stores credit card “cardholder” data. 

While many companies are exempt from PCI, companies are not exempt from protecting their sensitive data which includes customer, company confidential and Personally Identifiable Information (PII). 

This presentation provides an overview of the PCI Data Security Requirements, why they evolved, why they are important and how the requirements can leveraged by all companies to improve their overall compliance program.  Several of the requirements will be discussed in detail, the “hidden meaning” of the requirement will be revealed, and examples will be provided showing how RACF controls can be implemented, and supporting evidence collected, to demonstrate compliance.

   

Session Overview

Overview

3

Albert Gonzalez, dubbed his operation: “Operation Get Rich or Die Tryin’”

As long as we have a Black Market for Credit Cards, we’ll continue to have Cardholder Breaches

Convicted for breaches at:TJX Corp (45M)

Heartland Payment Systems (100M)Hannaford Bros Co (4.2M)

7-Eleven (TBD)2 Unidentified Companies (TBD)

The Problem: Credit Card Breaches

Albert also infiltrated these companies for over 40 million cards:BJ's Wholesale ClubBarnes & Noble Inc

Office Max Dave & Buster's

DSW shoe stores Forever 21

4

The Cost of a Credit Card Breach

Forrester Report: Costs Associated with a Credit Card Breach

5

The PCI DSS Infrastructure

The PCI Security Council, Sponsoring Organizations, QSA’s and PFI’s

Qualified Security Assessor (QSA):(264 companies as of August 2011)

PCI Forensic Investigator (PFI):(15 companies as of August 2011)

PCI Security Council &Sponsoring Organizations:

6

Top PCI Challengesfor zSeries Systems

Challenges

1. Interpreting PCI DSS for zSeries Systems

7

Top PCI Challengesfor zSeries Systems

PCI DSS High Level Requirements

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data 3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes.

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel.

8

“Interpreting PCI DSS for zSeries Systems”Requirement 7.2

Requirement 7: Restrict access to cardholder data by business need to know

PCI DSS Requirement Testing Procedure In Place

Not in Place

Target Date / Comments

7.2 Establish an access control system for systems components with multiple users that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.

This access control system must include the following:

7.2 Examine system settings and vendor documentation to verify that an access control system is implemented as follows:

7.2.1 Coverage of all system components

7.2.1 Confirm that access control systems are in place on all system components.

7.2.2 Assignment of privileges to individuals based on job classification and function

7.2.2 Confirm that access control systems are configured to enforce privileges assigned to individuals based on job classification and function.

7.2.3 Default “deny-all” setting 7.2.3 Confirm that the access control system has a default “deny-all” setting

9

“Interpreting PCI DSS for zSeries Systems” Navigating PCI DSS

Refer to “Navigating PCI DSS” for guidance for interpreting the intent of a requirement.

Requirement 7.2 Guidance

Without a mechanism to restrict access based on user’s need to know, a user may unknowingly be granted access to cardholder data. Use of an automated access control system or mechanism is essential to manage multiple users.

This system should be established in accordance with your organization’s access control policy and processes (including “need to know” and “role-based access control”), should manage access to all system components, and should have a default “deny-all” setting to ensure no one is granted access until and unless a rule is established specifically granting such access.

10

“Interpreting PCI DSS for zSeries Systems” PCI 7.2.3 – “Deny-all” Settings

Requirement 7: Restrict access to cardholder data by business need to know

• The challenge for complying with PCI 7.2.3 is to determine the meaning of a default “deny-all” setting.

7.2 Establish an access control system for systems components with multiple users that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. This access control system must include the following:

7.2.3 Default “deny-all settings

• For a RACF system, the PROTECTALL feature would be the obvious default “deny-all” setting.

• However, if you stop there, you would be mis-interpreting the requirement.

PCI 7.2.3 Testing Procedure

Confirm that the access control systems have a default “deny-all” setting.

11

“Interpreting PCI DSS for z/OS Software” “Deny-all” Setting

Some examples of RACF “deny-all” settings:

Profiles - Universal Access

Profiles - Warning

Global Access Table

Inactive RACF Classes

ID(*) on an access list with READ or higher

“Deny-All” Settings

12

“Interpreting PCI DSS for zSeries systems”What is a z/OS “System Component” ?

1st Systems Programmer 2nd Systems Programmer RACF Engineer RACF Administrator

Master Catalog SDSF The RACF Database Dataset Profiles

APF Authorized Datasets Session Managers Copies of the RACF database

General Resource Profiles

LINKLIB Datasets SYS1.UADS Dataset SETROPTS Settings User ID Attributes

User Catalogs WebSphere RACF CDT Group Connect Authorities

RACF Database JES2 / JES3 RACF Classes Role Based Access

Parmlib Datasets OMEGAMON General Resource Profiles

Database Administrator

Multi-User Access Systems

WebSphere MQ Encryption Keys IMS Databases

z/OS Security Patches DFSMS Group Membership DB2 Databases

System Proclibs SVC’s Privileged Userids DB2 Table Trace

Started Tasks CICS System Datasets RACF Exits Oracle Databases

SYS1.Parmlib DB2 System Datasets RACF Tables RACF Classes for DB2

SMF Log Files IBM Comm Server IRR Prefixed Utilities IDMS

System Exits Vendor Security Products Logging Parameters QSA & Compliance Officers

ICSF Encryption Keys Magnetic Tape ?

13

Top PCI Challengesfor zSeries Systems

Challenges

1. Proper Interpretation of the Requirements

2. Reducing Scope

14

“Reducing Scope”Current SMF Data Flow Diagram

SYS1.SMFMANxxSYSA.PARMLIB

(SMFPRM00)

PROD.SMF.WKLY(+1)

SEC.RACF.SMFW(+1)

SYS2.SMF.UNLOAD

SEC.RACF.SMFD(+1)

BKUP.SMF.WKLYY(+1)

SMF.DAILY(+1)

SEC.RACF.SMFM(+1)

ONLINE Reports

SAR.SEC.VIOL(+1)SAR.SEC.ACCESS(+1)SAR.RACF.CMDS(+1)

SAR.LOGONS(+1)

RACF Compliance Reports (stored on DASD volumes)

RACF Covering Profiles

SYSA.* SYS1.SMFMAN* SYS2.SMF* SMF.** PROD.SMF.** BKUP.SMF.** SEC.RACF.* SAR.**

RETPD: 10 days

RETPD: 20 days

RETPD: 60 days

RETPD: 180 days OFFSITE

RETPD: 1 day

RETPD: 60 days

RETPD: 30 days

SMF Data Flow Based on an “Interview”

15

“Reducing Scope”Reduced SMF Data Flow Diagram

SMF Data Flow Diagram

SMF.SMFMANxxSMF.PARMLIB(SMFPRM00)

SMF.WKLY(+1)

SMF.UNLOAD

SMF.RACF.SMFD(+1)

SMF.DAILY(+1)

E-Mail

RACF Covering Profiles

SMF.**

RACF Compliance Reports

RETPD: 14 days,

onsite

RETPD: 365 daysOffsite

RETPD: 90 days, onsite

RETPD: 1 day

Remediation Activities

1. Eliminated unnecessary SMF extract files

2. Renamed datasets to eliminate 7 RACF dataset profiles

3. Remediated the new RACF dataset profile to be PCI complaint

4. Increased the offsite retention period to from 180 to 365 days

5. Increased the onsite availability from 60 to 90 days

6. Created an SMF Data Flow Diagram to document the process

PCI 10.7.B

PCI 7.2.1PCI 7.2.2PCI 7.2.3

PCI 10.2.3 PCI 10.5.1 PCI 10.5.2

PCI 10.5.3

PCI 10.6

PCI 10.7.B

PCI 10.5.3

16

Top PCI Challengesfor zSeries Systems

Challenges

1. Proper Interpretation of the Requirements

2. Reducing Scope

3. Identifying “Not in Place” Requirements

17

“Identifying Not in Place Requirements”Vanguard’s Findings Mapped to PCI Requirements

Vanguard’s Top 10 RACF Findings

Rank Description of Finding Percent Occurrence of Finding

PCIRequirement

1 Excessive Number of User IDs with No Password Interval 67% 8.5.9

2 Data Set Profiles with UACC Greater than READ 52% 7.2.2 / 7.2.3

3 Inappropriate Usage of z/OS UNIX Superuser Privilege UID(0) 52% 7.2.2

4 Started Task IDs are not Defined as PROTECTED IDs 44% 2.2.3

5 Production Batch Jobs have Excessive Resource Access 39% 7.2.2

6 Excessive Access to APF Libraries 37% 7.2.2

7 Data Set Profiles with UACC of READ 36% 7.2.2 / 7.2.3

8 Excessive Number of User IDs with the OPERATIONS Attribute 35% 7.2.2

9 RACF Database is not Adequately Protected 32% 7.2.2

10 Excessive Number of User IDs with the Special Attribute 31% 7.2.2

18

“Identifying “Not in Place” Requirements”Is this Dataset Profile PCI Compliant?

INFORMATION FOR DATASET PCI.CREDIT.DATA (G) LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE ---------- ---------- ------------------------------- -------------- ---------- 00 PCI READ YES NO AUDITING -------------- FAILURES(READ) NOTIFY ----------- NO USER TO BE NOTIFIED

ID ACCESS -------- ------- * READUSER1 READPCIGRP READ ID ACCESS CLASS ENTITY NAME -------- ------- -------- --------------------------------------------------------NO ENTRIES IN CONDITIONAL ACCESS LIST

PCI 7.2.2 Role Based Access

PCI 10.2.1 Log all access to cardholder data

PCI 9.10.2 Render cardholder data unrecoverable

PCI 7.2.3 PCI 7.2.3

PCI 7.2.3

Requirement Not in Place

7.2.2 User ids on access list

7.2.3 UACC not set to a deny-all setting

7.2.3 WARNING not set to a deny-all setting

7.2.3 ID(*) READ not set to a deny-all setting

9.10.2 ERASE not set to (YES)

10.2.1 AUDIT not set to (ALL)

11.5.b NOTIFY not used to send alerts

PCI 11.5.b

19

“Identifying “Not in Place” Requirements”PCI RACF Mini-Review

Making Management aware.

Why do I need a PCI z/OS RACF Mini Readiness Review?

The mini assessment is designed to give the administrator and their management a real-time view (health check) of the integrity of their system. The Mini assessment is an engagement that investigates areas in which we frequently find problems. Each problem is then mapped to the applicable PCI requirement.

This no charge offering, with an investment of only a few hours time, provides you with insight that there are z/OS RACF “Not in Place” conditions that need to be addressed. Mini Readiness Reviews can help you develop the justification management needs to allocate resources to address the issues identified.

20

Top PCI Challengesfor zSeries Systems

Challenges

1. Proper Interpretation of the Requirements

2. Reducing Scope

3. Identifying “Not in Place” Requirements

4. Proving Compliance

21

Report “Date and Time”

CPU ID

Report Masking Criteria

Version # Product Name

Watermark

Report Name

“Proving Compliance”Supporting Documentation

Profile Names

7.2.3 Deny-All Settings

Vanguard AdministratorTM

22

“Proving Compliance”Supporting Documentation

7.2 Establish an access control system for systems components Exhibit 7.2 – Cardholder Data Flow Diagram Exhibit 7.2 – RACF Data Flow Diagram Exhibit 7.2 – SMF Data Flow Diagram7.2.1 Coverage of all system components Exhibit 7.2.1 – RACF Databases

7.2.2 Assignment of privileges based on job classification and function RACF Group Profiles Exhibit 7.2.2 – RBAC Supporting Documentation RACF User ID Profiles Exhibit 7.2.2 – User IDs with System Level Administrative Privileges Exhibit 7.2.2 – User IDs on Access Lists RACF Dataset Profiles Exhibit 7.2.2 – Cardholder Dataset Profiles System Data Set Profiles Exhibit 7.2.2 – Authorized Program Facility (APF) Data Sets Exhibit 7.2.2 – DASD Volume Backup Data Sets Exhibit 7.2.2 – LINKLIST Data Sets

23

Top PCI Challengesfor zSeries Systems

Challenges and Solutions

1. Proper Interpretation of the Requirements

2. Reducing Scope

3. Identifying “Not in Place” Requirements

4. Proving Compliance

5. Staying Compliant

24

“Staying Compliant”Ongoing Readiness Reviews

Requirement 7.2.3System Settings

PROTECTALL Feature

Profile SettingsWARNING AttributeUniversal Access – UACC(NONE) AttributeID(*) on an Access ListGlobal Access Settings (GAC)

General Resource Back-Stop Profiles

Inactive General Resource Classes Profiles that can bypass a “deny-all” Setting

TAPEDSN FeatureICHBLP ProfileRACF Dataset Conversion TableRACF Exits

25

1. User issues a supported RACF command

“Continuous Monitoring and Policy Enforcement” of RACF Commands:

a) Validates that the command issuer is authorized to issue the command

b) Validates that the command is compliant with user-defined policies

c) Modifies commands to comply with written policies prior to execution

d) Fails non-compliant commands (e.g. unauthorized changes to the PCI.CREDIT.DATA profile)

e) Log all command activity to System Management Facility (SMF)

“Staying Compliant”Continuous Monitoring Tools - Intrusion Prevention

PCI 10.2.2PCI 10.2.7

Vanguard Policy ManagerTM

PCI 7.2.3

26

“Staying Compliant”Continuous Monitoring Tools - Intrusion Prevention

Monitor and Fail Non-Compliant RACF Commands

PCI 11.4.a

27

“Staying Compliant”Continuous Monitoring Tools - Intrusion Detection

Monitoring RACF “Insufficient Access” Events

28

“Staying Compliant”Continuous Monitoring Tools - Intrusion Detection

Vanguard Enforcer TM and Vanguard Advisor TM - Real-Time Alerts

PCI 11.4.b PCI 11.4.b

29

References

PCI Security Standards CouncilPayment Card Industry (PCI) Data Security Standards and Navigating PCI DSS 2.0https://www.pcisecuritystandards.org/

NIST - National Checklist Program Repository, zSeries RACF STIGhttp://web.nvd.nist.gov/view/ncp/repository?page_num=1

xBridge Systems - Achieving PCI Compliance on the Mainframe – White Paperhttp://www.xbridgesystems.com/products/whitepapers/Xbridge_White_Paper_Achieving_PCI_Compliance_on_the_Mainframe_April_2011.pdf

Verizon Business - Verizon 2010 Payment Card Industry Compliance Report http://www.verizonbusiness.com/resources/reports/rp_2010-payment-card-industry-compliance-report_en_xg.pdf

Gartner Research Note - "Why Your IBM zSeries Mainframe May Not Be as Secure as You Think It Is and What You Can Do About It."http://www.go2vanguard.com/gartner_request.php

Verisign Global Security Consulting Services - Compliance and the cost of a credit card breach http://www.verisign.com/static/PCI_REASONS.pdf

COMPUTERWORLD - January 6, 2010 Update: Heartland breach shows why compliance is not enoughhttp://www.computerworld.com/s/article/9143158/Update_Heartland_breach_shows_why_compliance_is_not_enough

Ponemon Institute - PCI DSS Trends 2010: QSA Insights Report

http://www.ponemon.org/data-security

30

PCI Testing Procedures Referenced in this Presentation

7.2.1 Confirm that access control systems are in place on all system components.

7.2.2 Confirm that access control systems are configured to enforce privileges assigned to individuals based on job classification and function.

7.2.3 Confirm that the access control systems have a default “deny-all” setting.

10.2.2 Verify actions taken by any individual with root or administrative privileges are logged

10.2.3 Verify access to all audit trails is logged.

10.2.7 Verify creation and deletion of system level objects are logged.

10.5.1 Verify that only individuals who have a job-related need can view audit trail files.

10.5.2 Verify that current audit trail files are protected from unauthorized modifications via access control mechanisms

10.5.3 Verify that current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter.

10.6 Through observation and interviews, verify that regular log reviews are performed for all system components.

10.7.b Verify that audit logs are available for at least one year and processes are in place to immediately restore at least the last three months’ logs for analysis.

10.2.3 Verify access to all audit trails is logged.

11.4.a Verify the use of intrusion-detection systems and/or intrusion-prevention systems and that all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment is monitored.

11.4.b Confirm IDS and/or IPS are configured to alert personnel of suspected compromises.

References

31 ©2011 Vanguard Integrity Professionals, Inc.

Thank You

Grazie

Japanese

MerciFrench

Russian

DankeGerman

Italian

GraciasSpanish

ObrigadoBrazilian Portuguese

Arabic

Simplified Chinese

Traditional Chinese

HindiTamil

Thai

Korean

About Vanguard Integrity Professionals

Vanguard Integrity Professionals is the world’s leading solutions provider in the field of RACF®. Leveraging its robust suite of security administration and auditing tools, a development and professional services team comprised of more than 30 of the top RACF experts in the world, and a proven history of providing market leading solutions for over 20 years, Vanguard has established a reputation as the best in the industry. Vanguard offers the most comprehensive suite of security software solutions, professional services, and training of any vendor in the world. More than 500 customers have partnered with Vanguard to ensure and protect the integrity of Information Systems and the confidentiality of sensitive production data in the nation's largest financial, healthcare, retail organizations and government agencies. Vanguard is also the developer and sponsor of Vanguard Security and Compliance™ (formerly, the Vanguard Enterprise Security Expo), the most prominent and insightful security conference in the industry, which has trained more than 8,000 security experts since 1987. Vanguard Professional Services provides customers with the industry's most comprehensive set of enterprise professional service offerings in the RACF z/OS®, distributed and Network/Internet markets. Vanguard consultants, with an average of 25 years experience, offer strategic consulting and training tailored to meet an organization’s unique business requirements, and can assist in the process of managing risks to protect the integrity of information systems and confidentiality of your data. Vanguard consultants are highly regarded and considered the best-of-the-best in their field.  Vanguard’s Software Solutions offer a robust set of tools for z/OS Security Server and Resource Access Control Facility (RACF) that dramatically improve the efficiency of security administration and management, and address the demands of regulatory compliance and reporting. The Security Server is transformed into a real-time intrusion detection and policy enforcement platform, extending System z® security and audit capabilities across the enterprise. With Vanguard's solutions users are empowered to make immediate and informed security decisions.

 

32