IBM Z Series customers traditionally include some of the world’s biggest financial services and retail companies. This puts them firmly in the crosshairs of the Payment Card Industry Data Security Standard (PCI DSS). Yet while compliance can be onerous for smaller businesses, the challenges are often multiplied for those storing, processing and/or transmitting huge volumes of cardholder data (CHD).
Fortunately, comforte has the technology and know-how to reduce the scope and cost of PCI DSS compliance, and help IBM customers to adapt to the new regulatory regime.
PCI DSS was originally a card industry response to the growing threat to CHD posed by cyber-thieves, and the knock-on impact of rising card fraud levels. Those threats have continued to evolve and grow over the years since the standard was first launched back in 2004. Fed by an infostealer epidemic, the cybercrime underground is awash with personal data, including logins that adversaries can use to access sensitive corporate systems en route to data stores. And card fraud losses were predicted to hit $13.8bn by the end of 2024.
PCI DSS 4.0 is the card industry’s response. It’s designed to offer more flexibility on the one hand, while also mandating retailers, financial institutions and others to tighten up security in other areas. The new version introduces dozens of new requirements, summarized neatly here. But some of the main areas of change include:
A new “customized approach” option which allows organizations to implement security controls in a way that best suits their technology set up and risk profile.
Tighter rules on vulnerability remediation so that firms manage all “applicable vulnerabilities” that they find via scans (not just those ranked as high-risk or critical).
Stronger authentication including multi-factor authentication (MFA) for access to cardholder data environments (CDEs).
Stronger encryption of CHD, even on trusted networks.
Improved security awareness training for all staff.
Targeted risk assessments to identify and remediate vulnerabilities.
More rigorous testing of security controls.
IBM Z Series customers may have chosen the mainframe brand in part because of its superior built-in security capabilities. But there are still going to be some potential bumps in the road when complying with PCI DSS 4.0. Mainframe technology requires a specific set of skills which many organizations may find are increasingly in short supply. Aside from this they may have to manage:
Fortunately, comforte has plenty of experience with PCI DSS compliance, and is a long-time partner of IBM. Our data-centric security approach aligns closely with the standard, while our SecureDPS solution empowers z-Series customers to continually discover and classify data and apply strong data protection (eg format-preserving tokenization).
In summary, comforte offers IBM Z Series:
One of the key motivations behind PCI DSS 4.0 was to encourage complying organizations to think of security as a continuous process—a journey characterized by best practice, rather than a destination reached by ticking boxes and buying point solutions. With our continuous approach to data discovery, classification and protection, that is 100% the comforte way.