5/27/2016 1

Title

Sub-title

How Vanguard Solves

Your PCI DSS Challenges

Peter Roberts

Sr. Consultant

5/27/2016 2 2

AGENDA

1.About Vanguard/Introductions

2.What is PCI DSS

3.PCI DSS 3.1/3.2 Important Dates

4.PCI DSS Change Cycle

5.Top PCI challenges for z/OS®

6. How Vanguard Addresses PCI DSS

Requirements

7.Q/A

5/27/2016 3 3

What is PCI DSS?

What is PCI DSS - Payment Card Industry Data Security Standard?

Set of standards created by the PCI Security Standards Council

Enforced by contract with banks that provide payment card processing

Applicable to everyone who “stores, processes or transmits”

payment card data

5/27/2016 4 4

PCI DSS Requirements

High-level overview of the 12 PCI DSS

Requirements

• Build and Maintain a Secure Network and Systems

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other

security parameters

5/27/2016 5 5

PCI DSS Requirements

• Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

• Maintain a Vulnerability Management Program

5. Protect all systems against malware and regularly update anti-virus

software or programs

6. Develop and maintain secure systems and applications

5/27/2016 6 6

PCI DSS Requirements

• Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know

8. Identify and authenticate access to system components

9. Restrict physical access to cardholder data

5/27/2016 7 7

PCI DSS Requirements

• Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

• Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

5/27/2016 8 8

PCI DSS 3.1 / 3.2 Important Dates

• Feb 13, 2015: PCI 3.1 - Announced

• April 15, 2015: PCI 3.1 - Published

• April 28, 2016 : PCI 3.2 - Announced/Published

• Oct 31, 2016 : PCI 3.1 - 3.1 Retired

• Jan 31, 2018: PCI 3.2 - 3.2 becomes mandatory

• Jan 31, 2018 : PCI 3.2 - 3.2’s new additions go from

being a best practice to a

requirement

• June 30, 2018 : PCI 3.1 - Non early TLS (v1.1 or later)

becomes mandatory

5/27/2016 9 9

PCI DSS 3.2 Highlights

• All PCI

- Secure all individual non-console administrative access and all remote access to

the CDE using multi-factor authentication (8.3)

- Removed all note and testing procedures regarding removal of SSL/early TLS to

a new Appendix A2

- Version 3.1 expires on 31 October 2016 (3.2’s new additions are a best practice

until 31 January 2018)

• Service Providers only:

- There are several new requirements that relate to Service Providers only

including:

Maintain a documented description of the cryptographic architecture (3.5.1)

Implement a process for the timely detection and reporting of failures of critical

security control systems (10.8)

If segmentation is used, confirm PCI DSS scope by performing penetration testing on

segmentation controls at least every six months and after any changes to

segmentation controls/methods (11.3.4.1)

And several more…

• Designated Entities Supplemental Validation (DESV)

- Applies only to entities designated by a payment brand(s) or acquirer as

requiring additional validation of existing PCI DSS requirements (Appendix A.3)

5/27/2016 10 10

PCI DSS Change Cycle

5/27/2016 11 11

Common PCI Terms

1. CHD - Card Holder Data

2. SAD - Sensitive Authentication Data

3. PAN – Primary Account Number

5/27/2016 12

TOP PCI CHALLENGES FOR z/OS

Interpretation of PCI requirements and applicability to z/OS

5/27/2016 13 13

“Interpreting PCI DSS for z/OS” What is a z/OS “System Component” ?

1st Systems Programmer 2nd Systems Programmer RACF® Engineer RACF Administrator

Master Catalog SDSF The RACF Database Dataset Profiles

APF Authorized

Datasets Session Managers

Copies of the RACF

database

General Resource

Profiles

LINKLIB Datasets SYS1.UADS Dataset SETROPTS Settings User ID Attributes

User Catalogs WebSphere® RACF CDT

Group Connect

Authorities

RACF Database JES2 / JES3 RACF Classes Role Based Access

Parmlib Datasets OMEGAMON General Resource

Profiles

Database

Administrator

Multi-User Access

Systems WebSphere MQ® Encryption Keys IMS™ Databases

z/OS Security

Patches DFSMS Group Membership DB2 Databases

System Proclibs SVC’s Privileged Userids DB2 Table Trace

Started Tasks CICS® System

Datasets RACF Exits Oracle Databases

SYS1.Parmlib DB2® System

Datasets RACF Tables

RACF Classes for

DB2

SMF Log Files IBM Comm Server IRR Prefixed Utilities IDMS

System Exits Vendor Security

Products Logging Parameters

QSA & Compliance

Officers

ICSF Encryption Keys Magnetic Tape ?

5/27/2016 14 14

Interpreting PCI DSS for z/OS - Example PCI 7.2.3 – “Deny-all” Settings - Example

Requirement 7: Restrict access to cardholder data by

business need to know

7.2 Establish an access control system for systems components with multiple

users that restricts access based on a user’s need to know and is set to “deny

all” unless specifically allowed. This access control system must include the

following:

7.2.3 Default “deny-all settings

• The challenge for complying with PCI 7.2.3 is to

determine the meaning of a default “deny-all” setting

• For a RACF system, the PROTECTALL feature would be the obvious default

“deny-all” setting

• However, if you stop there, you would be mis-interpreting the requirement

PCI 7.2.3 Testing

Procedure

Confirm that the

access control

systems have a

default “deny-all”

setting.

5/27/2016 15 15

“Interpreting PCI DSS for z/OS”

“Deny-all” Setting

“Deny-All” Settings

Some examples of RACF “deny-all” settings:

Profiles - Universal Access

ID(*) on an access list with READ or higher

Profiles - Warning

Global Access Table

Inactive RACF Classes

5/27/2016 16 16

How does Vanguard Help Address PCI DSS?

Vanguard Product Suite

5/27/2016 17 17

Vanguard Configuration Manager™

• What is Vanguard Configuration Manager™? – Vanguard Configuration Manager™ Automates the Process of Testing

Mainframe Security Configuration Controls to Assess their Compliance with the IBM® z/OS and RACF Configuration Checklist from the National Checklist Program (NCP) of the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS)

– Enhances z Systems® Security by Providing Built-In Configuration Control Details

– Automates Testing on more than 350 z Systems Configuration Control Checks

– Produces Accurate Compliance Reports in Minutes

5/27/2016 18 18

How Does Vanguard Configuration

Manager™ Address PCI DSS?

• Requirement 2 - Do not use vendor-supplied defaults for system

passwords and other security parameters

- Requirement 2.2 Develop configuration standards for all system

components. Assure that these standards address all known security

vulnerabilities and are consistent with industry-accepted system

hardening standards

Sources of industry-accepted system hardening standards may include but

are not limited to:

– Center for Internet Security (CIS)

– International Organization for Standardization (ISO)

– SysAdmin Audit Network Security (SANS) Institute

– National Institute of Standards Technology (NIST).

• Requirement 3 - Protect stored cardholder data

- See ZICS Integrated Cryptographic Service Facility section

5/27/2016 19 19

How Does Vanguard Configuration

Manager™ Address PCI DSS?

• Requirement 5 - Protect all systems against malware and regularly

update anti-virus software or programs

- Since Malware on z/OS is concerned with mainly gain access to APF libraries,

check ACP00060 validates only appropriate Users have access

• Requirement 7 - Restrict access to cardholder data by business need to know

- As well as specifying how Datasets and General Resources are to be

protected, Vanguard Configuration Manager™ also controls what Roles

are allowed to have access and what level of access

• Requirement 8 - Identify and authenticate access to system components

- Reporting

– See RACF - Security Server (RACF) Settings section

» Password Format

» Password Attempts

» Password Expiration

– See ZUSS – UNIX® System Services

– See AAMV - Inactivity Timers

5/27/2016 20 20

How Does Vanguard Configuration

Manager™ Address PCI DSS?

• Requirement 10 – Track and monitor all access to network resources

and cardholder data

- Use Vanguard Configuration Manager™ to report on SMF

Includes checks in the AAMV, ACOM, ACP and RACF categories

5/27/2016 21 21

Common PCI Requirements

NIST RACF Checklist

https://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=55

5/27/2016 22 22

Vanguard Configuration Manager™

Choose Which STIG level

5/27/2016 23 23

Vanguard Configuration Manager™

Specify or create Baseline datasets

5/27/2016 24 24

Vanguard Configuration Manager™

• Select a Category

5/27/2016 25 25

Vanguard Configuration Manager™

• Category Report Summary

5/27/2016 26 26

Vanguard Configuration Manager™

5/27/2016 27 27

Vanguard Policy Manager™

• What is Vanguard Policy Manager™?

– Prevents execution of z/OS Security Server commands that do not comply with organizational-defined policies

– Enables enterprises to precisely control which users can execute specific commands, parameters and sub-parameters. Noncompliant commands are modified to comply with policy or prevented from executing.

– Enhanced logging features are provided to log command events regardless of resource-level or system-level audit settings

5/27/2016 28

“Staying Compliant”

Continuous Monitoring Tools-Intrusion Prevention

Vanguard Policy ManagerTM

1. User issues a

supported RACF

command

“Continuous Monitoring and Policy

Enforcement” of RACF

Commands:

a) Validates that the command issuer is

authorized to issue the command

b) Validates that the command is

compliant with user-defined policies

c) Modifies commands to comply with

written policies prior to execution

d) Fails non-compliant commands

(e.g. unauthorized changes to the

PCI.CREDIT.DATA profile)

e) Log all command activity to System

Management Facility (SMF)

PCI 10.2.2

PCI 10.2.7

PCI 7.2.3

5/27/2016 29 29

How Does Vanguard Policy

Manager™ Address PCI DSS?

• Requirement 7 - Restrict access to cardholder data by business

need to know

- Can “Lock Down” PCI related RACF profiles once set up correctly

SETROPTS PROTECTALL settings

PCI related Dataset and General Resource profiles

• Requirement 8 - Identify and authenticate access to system

components

- Lock down SETROPTS for password

» Password Format

» Password Attempts

» Password Expiration

• Requirement 9 - Restrict physical access to cardholder data

- Lock down SETROPTS ERASE-ON-SCRATCH

- Lock down PCI related Dataset Profiles for ERASE-ON-SCRATCH

• Requirement 10 - Track and monitor all access to network

resources and cardholder data

- Lock down Audit Parms on PCI Dataset & General Resource Profiles

5/27/2016 30 30

Vanguard Policy Manager™

5/27/2016 31 31

SETROPTS Policy

5/27/2016 32 32

Not Authorized to change SETROPTS

5/27/2016 33 33

Vanguard Policy Manager™

Dataset Policies

5/27/2016 34 34

Not Authorized to Alter PCI DS Profile

• User had SYSTEM SPECIAL but was not authorized to the $VPM

PCI profiles. Command NOT executed

• Gets logged as a violation. Can be reported on using Vanguard

Advisor™ (usually the next day) or can use Vanguard Active Alerts™

to send an immediate notification

5/27/2016 35 35

Vanguard Policy Manager™

Enhanced Command Logging

5/27/2016 36 36

Vanguard Enforcer™

• What is Vanguard Enforcer™

- Ability to notify and optionally Correct

- Manage the Security Implementation Baseline that Enforces Your Security Policies

- Continuous Scanning of RACF Security Profiles Looking for Deviations from the Baseline

- Logs all Scan Operations and Deviations Found

5/27/2016 37 37

How Does Vanguard Enforcer™

Address PCI DSS?

• Requirement 7 - Restrict access to cardholder data by business

need to know

- Can ensure that if someone does get access that they are not supposed

to have that you are either notified or it can changed the setting back

• Requirement 10 - Track and monitor all access to network resources

and cardholder data

- 10.5.5 Use file-integrity monitoring or change-detection software on logs

to ensure that existing log data cannot be changed without generating

alerts

Make sure that SMF Parmlib not changed (could effect what is being

collected)

Make sure that SMF new exits are not implemented etc.

• Requirement 11 - Regularly test security systems and processes

- 11.5 Deploy a change-detection mechanism (for example, file-integrity

monitoring tools) to alert personnel to unauthorized modification of

critical system files, configuration files or content files

5/27/2016 38 38

Vanguard Enforcer™

5/27/2016 39 39

Vanguard Enforcer™

5/27/2016 40 40

Vanguard Enforcer™

5/27/2016 41 41

Vanguard Enforcer™

Vanguard Enforcer™ Sensor Notification Alert - Example

5/27/2016 42 42

Vanguard Advisor™

• What is Vanguard Advisor™?

- Uses Live or Historical SMF Records and Log Stream Data

- Conduct a Wide Variety of Analyses from an Array of Packaged and Customizable Reports

- 100s of Pre-Built Commonly Used Reports

- Customized Reports without the need to Learn Complex Reporting Languages

- Deliver Violation Notices and Reports via Email

5/27/2016 43 43

How Does Vanguard Advisor™

Address PCI DSS?

• Requirement 4 - Encrypt transmission of cardholder data across

open, public networks

- Can help prove that you are using a secure version of FTP and a safe

(secure) Cypher

• Requirement 10 - Track and monitor all access to network resources

and cardholder data

- 10.6 Review logs and security events for all system components to

identify anomalies or suspicious activity

5/27/2016 44 44

Vanguard Advisor™

5/27/2016 45 45

Vanguard Advisor™

5/27/2016 46 46

Vanguard Advisor™

5/27/2016 47 47

Vanguard Advisor™

5/27/2016 48 48

PCI Requirement 4

FTP Advisor Report

5/27/2016 49 49

Vanguard Multi-Factor Solutions

• What are the Vanguard Multi-Factor Solutions? – Two-Factor (Multi-Factor) Authentication

» Vanguard ez/PivCard Authenticator™

» Vanguard ez/Token™

» Vanguard Tokenless Authentication™

• How Do Vanguard Multi-Factor Solutions Address PCI DSS?

- Requirement 8: Identify and authenticate access to system

components

8.3 Secure all individual non-console administrative access* and all remote

access to the CDE using multi-factor authentication

– By employing at least two of the following methods to authenticate

users

» Something you know, such as a password or passphrase

» Something you have, such as a token device or smart card

» Something you are, such as a biometric

* New with PCI DSS 3.2

5/27/2016 50 50

Vanguard Professional Services also has additional offerings to help you get PCI DSS Ready.

• Limit access to system components & CHD…Role Based Access

(PCI DSS 7.1)

• Annual Penetration Testing including z/OS

(PCI DSS 11.3)

• DB2 to RACF Security migration assistance

Some Professional Services Solutions

5/27/2016 51 51

The End

51

Thank You

Here are some helpful Websites:

Requirements and Security Assessment Procedures

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf

PCI SSC Data Security Standards

https://www.pcisecuritystandards.org/security_standards/index.php

NIST Checklist

https://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=55

5/27/2016 52

May 23 – May 26 Basics of RACF Administration 24 CPE 4 days Online

June 1 – June 3 RACF Security for z/OS Applications – ALL MODULES 18 CPE 3 days Online

June 1 RACF Security for z/OS Applications – MODULE 1 – RACF for DB2 6 CPE 1 day Online

June 2 – June 3 RACF Security for z/OS Applications – MODULE 2 – RACF for CICS 12 CPE 2 days Online

June 6 – June 9 Beyond RACF Basics 24 CPE 4 days Online

June 13 – June 15 Auditing z/OS and RACF 18 CPE 3 days Online

June 21 – June 24 Beyond RACF Basics 24 CPE 4 days Jacksonville,

FL

June 27 – June 30 Basics of RACF Administration 24 CPE 4 days Online

Vanguard zSecurity University™

Register to attend a course, or to get more information: http://www.go2vanguard.com/training

Don’t forget that all of the Vanguard zSecurity University™ courses are eligible for CPE Credits.

Customer Savings: Special Discounts for Software Customers and VSC 2016 Attendees

5/27/2016 53

To register for a webinar or training course:

go2vanguard.com Select - Training

Vanguard zSecurity University™

Software Solutions Services Training International About Customer

Register to attend a course, or to get more information: http://www.go2vanguard.com/training

Don’t forget that all of the Vanguard zSecurity University™ courses are eligible for CPE Credits.

Customer Savings: Special Discounts for Software Customers and VSC 2016 Attendees

5/27/2016 54 54

5/27/2016 55 55

Questions?

How to Contact Us Vanguard Integrity Professionals

6625 South Eastern Ave., Suite 100

Las Vegas, NV 89119-3930

Direct/International: (702) 794-0014

Toll Free: (877) 794-0014

Fax: (702) 794-0023

TechSupport@go2vanguard.com

5/27/2016 56 56

Legal Notice

Copyright

©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to

view these materials for your organization’s internal purposes. Any unauthorized reproduction,

distribution, exhibition or use of these copyrighted materials is expressly prohibited.

Trademarks

The following are trademarks of Vanguard Integrity Professionals – Nevada:

Vanguard Administrator

Vanguard Advisor

Vanguard Analyzer

Vanguard SecurityCenter

Vanguard SecurityCenter for DB2

Vanguard Offline

Vanguard Cleanup

Vanguard PasswordReset

Vanguard Authenticator

Vanguard inCompliance

Vanguard IAM

Vanguard GRC

Vanguard QuickGen

Vanguard Active Alerts

Vanguard Configuration Manager

Vanguard Configuration Manager Enterprise Edition

Vanguard Policy Manager

Vanguard Enforcer

Vanguard ez/Token

Vanguard Tokenless Authenticator

Vanguard ez/PIV Card Authenticator

Vanguard ez/Integrator

Vanguard ez/SignOn

Vanguard ez/Password Synchronization

Vanguard Security Solutions

Vanguard Security & Compliance

Vanguard zSecurity University

5/27/2016 57 57

The following are trademarks or registered trademarks of the International Business Machines Corporation: Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.

Other company, product and service names may be trademarks or service marks of others.

Trademarks

CICS

CICSPlex

DB2

eServer

IBM

IBM z

IBM z Systems

IBM z13

S/390

System z

System z9

System z10

System/390

VTAM

WebSphere

z Systems

z9

z10

z13

z/Architecture

z/OS

z/VM

zEnterprise

IMS

MQSeries

MVS

NetView

OS/390

Parallel Sysplex

RACF

RMF