Don’t Look Now, But PCI Just Changed Again
March 8, 2017 Alex Woodie
Heads up, IBM i shops: Companies that process any volume of credit card transactions now must send self-assessments to their acquiring banks under the jurisdiction of the Payment Card Industry’s Data Security Standard (PCI DSS). This is a pretty significant change, as previously only merchants processing large volumes were subject to strict PCI DSS requirements.
On January 31, a new PCI provision went into effect that requires Level 4 merchants to submit a Self-Assessment Questionnaire (SAQ) to their issuing banks. Previously, Level 4 merchants, which are defined as processing 20,000 or fewer ecommerce transactions or 1 million total transactions, were exempt from the SAQ requirement. Companies processing more transactions, defined as Level 1 merchants, have even stricter requirements, including annual audits of computer systems and quarterly network scans.
Even so, the SAQ can institute a considerable burden on IT departments that are already cut to the bone. “The Self-Assessment Questionnaire can be up to 500+ questions and take months to complete,” says Ira Chandler, CTO for Curbstone Corp., a provider of IBM i payment software. “And, an officer of the Company has to sign an Attestation of Compliance in blood that the SAQ is accurate,” he adds, with some exaggeration.
Visa, the credit card company behind PCI, says small companies are being targeted by cybercriminals. “Based on recent forensic investigations, small merchants remain a target of hackers attempting to compromise payment data,” the company says in a January 2016 security bulletin (pdf). “Additionally, investigators have identified links between improperly installed POS applications and merchant payment data environment breaches.”
Level 4 merchants – which includes any company processing credit card transactions for any reason, not just retailers – faced other PCI changes starting January 31, 2017, including the requirements that they work only with POS application and terminal resellers and integrators who are PCI-certified under its Qualified Integrators and Reseller (QIR) program.
“Using organizations that have completed the PCI SSC QIR training program helps improve security by ensuring that payment applications and terminals are installed and integrated in a manner that mitigates payment data breaches and facilitates a merchant’s PCI DSS compliance,” Visa states in the security brief.
Banks are now warning merchants about changing PCI requirements.
Even if a company isn’t processing credit card transactions using IBM i-based software, the company’s entire IBM i infrastructure can fall within the purview of PCI DSS because of the way the regulation was written, Chandler says.
“If you touch the card data on your workstations that also runs a green screen emulator or web-browser access to your network and IBM i, that puts the entire network in ‘scope’ of the security mandates,” Chandler tells IT Jungle via email. “If it is connected by copper or Wi-Fi, it is included. So even if an IBM i order entry operator keys the card into a bank web site for authorization in a web browser, that workstation is in scope and the rest of the infrastructure is also, including the i.”
Making matters worse is the fact that PCI DSS was largely written from the point of view of an auditor who’s familiar with Windows and Linux systems, not an IBM i system, which has a different security model than Linux and Windows systems and is not always easy to translate. This situation has befuddled the big auditing companies that have been asked to audit the big IBM i shops to some extent, and now that security mismatch is set to play out on the smaller stage.
“The big companies have to have a third party perform the audit, and their familiarity with the i is minimal at best,” Chandler says. “Now that the small companies have to self-audit, they are even less prepared to translate the Windows/Linux-centric security questions into 400-ese.”
For example, the PCI DSS requirements demand that anti-virus software be installed on every system. “You try to explain that we do not even have anti-virus products that run against the Library File System,” Chandler says. “Good luck with that.”
Your entire IBM i infrastructure can come under the scope of PCI DSS if your employees key transaction data via a workstation that’s also connected to IBM i.
IBM i security, if properly implemented, is certainly strong enough to pass PCI requirements, and is even overkill for the requirements, Chandler says. But passing PCI muster isn’t a straightforward deal, owing in part to the centralized nature of the IBM i server.
“In the other [X86] world, they expect to have one box to do each individual chore – database, authentication, front-end, Web presentation, etc.” Chandler says. “On the i, we can do everything on one box and the segregation is not as easily demonstrable as it is with 13 individual $1,200 Linux servers connected with Ethernet.”
Log management adds more challenges. “The reporting required to satisfy the PCI regs would require a 3rd party product, like Townsend’s LogAgent and an external target for that traffic,” Chandler explains. “This requires intimate knowledge of security configuration on the box and even more about how the messages are interpreted by external logging software that looks for anomalies.”
Smaller IBM i shops that struggle with the SAQ may have no choice but to hire a qualified security assessor (QSA) to carry out the self-audit for them. The problem is that this costs additional money (although it generally helps the QSA become familiar with the IBM i, so maybe they’ll accept a discount for on-the-job training).
IBM i shops can escape much of this hassle – and qualify for the less stringent SAQ C-VT questionnaire, which has only 81 questions – if they can prove that their core IBM i server is not in scope of the PCI DSS.
Chandler says the PCI DSS is most concerned with isolating three key pieces of data necessary to process credit card transactions: the card number, the expiration date, and the security code. “If there was a way to eliminate the handling of the three sensitive fields of card data . . . from the workstations and the rest of the existing infrastructure, you could take all of that out of PCI scope,” he says.
Companies can lessen the scope of their PCI requirement by distancing their IBM i server from transactions.
Curbstone recommends that IBM i shops do this by purchasing an inexpensive Android tablet to enter the three key pieces of data on, and hooking it up to a dedicated Wi-Fi router. The challenge is that most IBM i shops processing transactions want to avoid double-keying all the other pieces of data that are required by the issuing bank to get the merchant the best rate on credit card authorization, including amount, invoice number, business unit ID, billing address and zip, tax flag, tax amount, destination zip code, and customer P.O. number.
Curbstone developed a Web portal-based solution that uses REST APIs to suck up all that metadata about the transaction, but leaves the three key pieces of data out of the pipe, and requires the operator to enter them manually on the tablet, thereby taking the IBM i server out of scope for the PCI.
It’s a solution that could work for other Level 4 IBM i shops facing the new PCI DSS requirement that went into effect 36 days ago.
RELATED STORIES
Consider Tokenization to Avoid PCI Stress
PCI 3.0 Gets Positive Initial Reviews from Security Pros
Curbstone Revamps Card Payment Software to Avoid PCI Exposure
This is is not new. Visa is not the only card brand behind the PCI framework. This article is littered with outdated, and non-truths. A web portal won’t take your server out of scope if that server is involved in any part of processing, storing, or transmitting card data. ““The Self-Assessment Questionnaire can be up to 500+ questions and take months to complete.” If you have a competent team, even the most intensive SAQ (D) will only take a few hours (so long as every requirement is in place).
Wow, Kevin. Thanks for the counterpoint. As the source for much of this, I would like to respond.
VISA- CORRECT:
Visa is not the only brand, absolutely, but they are the best source to see the latest PCI mandates IN ACTION, as they have the best infrastructure to convey it to the public. So, while I may *USE* Visa as an example, and Alex may have pointed at them, MC, Discover, AmEx and JCB are the founders, in fact. In fairness to Alex, he knows that the VISA company had the FIRST security standard, CISP, in 1999, and then the Payment Application Best Practices (PABP) standard in 2004. Those are what morphed into the PCI DSS, so, technically, Alex is correct, PCI took CISP and PABP and renamed them PCI DSS. That qualifies are being the primary company “behind” PCI. The mandate discussed, though, is from PCI, to be enforced 01/31/2017.
OUTDATED- NOT CORRECT:
The “new” enforcement requirement is not “outdated”. In fact, while I may offer historical references, I do know of anything that is SUPERSEDED, rendering it inaccurate. Outdated, but still in force is OK. Superseded is not, and I stand behind every fact presented, and invite you to show me where I am incorrect. As a 24 year veteran of this specific industry, I have seen the progression of mandates, and am very careful about accuracy…
PORTAL- CORRECT:
A web portal would *NOT* take infrastructure out of scope that STILL touches card data (store|process|transmit in PCI terms.) You are right. HOWEVER, I never said that. In fact, the second to last diagram clearly portrays the OPPOSITE see: “Entire Existing Computing…” Then I say:
…“If you touch the card data on your workstations that also runs a green screen emulator or web-browser access to your network and IBM i, that puts the entire network in ‘scope’ of the security mandates,” Chandler tells IT Jungle…
If the portal had the seamless integration using remote tokenization with the ERP, and the infrastructure does NOT touch the card data, and the device that DOES is “Isolated” per the SAQ C-VT requirement, then the Portal works! We have this (Curbstone C3 IPT) deployed and approved by PCI QSAs.
SAQ D- NOT CORRECT:
You contest my point of months required with HUGE qualifications. “Competent team” and “every requirement in place” are just a few words, but totally unrealistic. This article is not for NY Life, who has an encryption team larger than my whole company, this article is for the LEVEL 4 merchants running LESS THAN 1 Million transactions per year, and less than 20K e-commerce. From my experience, I can assure you that THEY do not have “teams” at all, and do not have “every requirement” in place.
In addition, you unfairly discard the work required to setup a PCI compliant environment to satisfy the SAQ D requirements. For a Fortune 500 company, it is no big deal, maybe. But we are addressing Level 4 merchants of smaller size.
As a software vendor who has been security audited by third parties since 2003, I can assure you that getting to SAQ D level compliance takes months, and with some customers of ours, years. That was why we built our Portal that can move them from D to C-VT while maintaining seamless integration.
Certainly, you agree that a simple, painless, 40 (relevant) questions from the SAQ C-VT is preferable to the 500+ of the SAQ D, so long as you can have seamless integration?
I wrote the first commercial credit card software for the AS/400 in 1993, and have serviced this specific market for 24 years with hundreds of customers. My company has been audited to every standard you have ever read about, CISP, PABP, PCI DSS SAQ D, SAQ C-VT, PA-DSS, QIR, and ultimately, for the last three years, the toughest, “Service Provider Level 1”.
My comment about the months required was OBVIOUSLY pointing to the amount of effort required to achieve “every requirement in place”. And, you must admit, months of effort go into MAINTAINING those requirements throughout the years.
If anything is factually incorrect, superseded, or misleading, please let me know, as Alex is fastidious about the accuracy of his articles.
Kevin, I appreciate your comments and welcome this educational discourse.