When I first started doing PCI DSS work under the then CISP and SDP standards, one of the biggest problems I ran into was what to do with one of those fancy mainframes.  In this job, you see ALL manner of mainframes.  I’ve seen super shiny, brand new z/OS multiplexes to aging, but functional Tandems to an OS/390 system that literally had no changes performed on it in more than two years.

How does anti-virus apply to those again?

Z10, by Roberto Berlim

I recently fielded a question about mainframes, and if they still “get a pass” when it comes to certain requirements like anti-virus (Req 5), and encryption (Req 3.4).  As is with most of PCI DSS interpretation questions, it certainly depends on the implementation and controls built into the mainframe environment.

When considering mainframes and PCI DSS compliance, you have to realize that the standard, as written, may not directly apply to those systems.  Going out on a limb, I would argue that the intent behind the standard is to cover any system that stores, processes, or transmits cardholder data, but in reality many of the requirements were written for distributed systems.  The thought of anti-virus on a mainframe is laughable, but anti-virus on a Microsoft VM on top of a future version of z/VM?  That’s a different story.

From a data protection perspective, strong access controls using RACF, ACF2, or TopSecret (there are probably others) can be sufficient to meet Requirement 3.4 which according to clarifications from the Council is more about rendering the data unreadable and less about using encryption.  Encryption is one method, but RACF controls that only allow process or service accounts access to the data in an unencrypted form (i.e., no interactive login type accounts) could also fit that requirement.

So do they get a pass?  Not in the least.  But a well run mainframe supported by roles created with security in mind will do just fine when going through a PCI DSS review.  Just having a mainframe is not good enough.  It still needs to be patched (RELEVANT hyperfixes folks or security patches for non OS software, not major revs), and the version of the OS running on it needs to be supported (so if you have z/OS v1.3 and don’t have some kind of extended support contract with IBM, it won’t pass muster), and the access controls need to be set up appropriately (if everyone has some kind of admin access cause the last guy couldn’t figure out RACF, that’s a problem).

Check my old article entitled The Art of the Compensating Control for more details, and Chapter 12 of PCI Compliance for more details.

This post originally appeared on BrandenWilliams.com.