Safestone Gives Away Free PCI Assessments to i OS Customers

April 7, 2009 Alex Woodie

Interested in how your System i (AS/400) environment stacks up against the Payment Card Industry’s Data Security Standard (PCI DSS)? Then you might consider downloading a free tool from Safestone Technologies‘ Web site, which will scour your i OS security settings, compare the results against the major PCI requirements, and give you a plain English report that details what areas of System i security you need to work on.

Compared to other government or industry mandates, the PCI DSS has been heralded for its detailed IT security requirements. Instead of providing wishy-washy IT guidelines that must be first interpreted before implemented (i.e. SOX), the PCI DSS provides a comprehensive list of security provisions that must be implemented to avoid paying hefty fines for noncompliance. For IT pros with a binary view of the world, PCI DSS gives them reason to be confident, instead of fearful of succumbing to a gray-zone interpretation.

With that said, not all of the PCI DSS requirements map cleanly to the System i world. The requirements were sculpted in the image of its drafter’s world view–which means lots of Unix and Windows terms–so it can take a little bit of time to fully understand the repercussions that PCI DSS holds for System i shops.

The System i security pros at Safestone have done their share of PCI DSS work, and some of this work is on display for anybody to tap into with the new PCI Compliance Assessment.

The first step in the assessment is filling out a form at www.safestone.com/pciaudit. You will be required to separate with your contact information, which Safestone will most likely use to sell you their System i security software. Of course, you can opt out of Safestone’s list after running the compliance assessment, if you want.

Next, you will be given information on how to download the PCI assessment tool. After this tool is installed on your System i server and does its thing, it removes itself from the system, so you don’t have to worry about cluttering up your system.

The tool looks at various aspects of your System i security settings and sees how they stack up against the six areas of IT control as defined by PCI. In System i terms, the tool will be looking at things like your selected security level, whether you’re using encryption, what kind of system access your users have, whether you have exit programs in place, and how secure their user IDs and passwords are.

Customers are provided with a PDF report that grades their i OS security settings against PCI standards as part of Safestone’s free PCI compliance assessment offer.

Safestone will then generate a report detailing how your System i fared. For each category, the report provides details about the customer’s specific security settings. This information is communicated in sentences as well as in graphic form, making it easy to interpret the results. Reports are customized for each customer, with grades of good, fair, or fail for each category, as well as specific recommendations for fixing the problems and achieving compliance.

Much of the value in Safestone’s reports resides in the recommendation sections. For some of the problems, the fixes are simple. For example, it’s widely maintained that you must be at a minimum security level of 40 to pass a PCI audit. If you’re currently at security level 30, you must move to security level 40 to pass (of course, that’s easier said than done).

For other areas, Safestone recommends you look at third-party tools for solutions to problems such as audit reporting and encryption. It’s no surprise that Safestone would recommend its own exit program monitoring solutions or auditing tools for the System i server. But Safestone also directs customers to other System i software vendors for solutions, such as nuBridges for i OS encryption, according to the sample PCI assessment available on Safestone’s Web site.

According to Safestone, undergoing a PCI assessment does not guarantee an organization can prevent a security breach. But it does help to ensure every measure is taken to secure sensitive customer information, and to avoid the kind of security breach that occurred in 2007 at TJX, the company says.

“No one wants their company associated with the type of breach TJX experienced,” says Safestone COO Terry Heath. “This breach resulted in 94 million accounts being compromised with losses exceeding $70 million due to fraud. We want to give System i shops an easy way to be proactive when it comes to PCI compliance by sharing our years of experience through offering this free assessment to any company with a System i.”

Safestone says the PCI compliance assessment is the first of several free assessments it will be providing to the System i community this year. For more information or to sign up for the assessment, visit the company’s Web site at www.safestone.com.