Companies processing credit card transaction will need to present self-assessment to their subsequent bank. This is related to Payment Card Industry’s Data Security Standard. This is the new change, because previously only large volumes were subjected to scrutiny and merchants were required to furnish this detail.
A new PCI provision was introduced on 31st, January and when it came into effect it required level 4 merchants to submit self-assessment questionnaire and send it to their issuing bank. Earlier any level 4 merchants who processed 20,000 or fewer transaction or a total of 1 million transaction stood exempted from Self-Assessment. Companies that did more transaction had to undergo stricter audits, were they are asked to submit annual audits of computer systems and network scans.
“The need to furnish SAQ is already considered to be an extra burden on the IT department. “The Self-Assessment Questionnaire can be up to 500+ questions and take months to complete,” says Ira Chandler, CTO for Curbstone Corp., a provider of IBM i payment software. “And, an officer of the Company has to sign an Attestation of Compliance in blood that the SAQ is accurate,” he adds, with some exaggeration.
Visa, the credit card company behind PCI, says small companies are being targeted by cybercriminals. “Based on recent forensic investigations, small merchants remain a target of hackers attempting to compromise payment data,” the company says in a January 2016 security bulletin (pdf). “Additionally, investigators have identified links between improperly installed POS applications and merchant payment data environment breaches.”
Under Level 4 merchants, any company processing credit cards transaction were required to work only with POS application and terminal resellers who is PCI certified under falls under PCI-certified Qualified Integrators and Reseller (QIR) program.
“Using organizations that have completed the PCI SSC QIR training program helps improve security by ensuring that payment applications and terminals are installed and integrated in a manner that mitigates payment data breaches and facilitates a merchant’s PCI Compliance,” Visa states in the security brief.
Even if a company isn’t processing credit card transactions using IBM i-based software, the company’s entire IBM i infrastructure can fall within the purview of PCI DSS because of the way the regulation was written, Chandler says.
“If you touch the card data on your workstations that also runs a green screen emulator or web-browser access to your network and IBM i, that puts the entire network in ‘scope’ of the security mandates,” Chandler tells IT Jungle via email. “If it is connected by copper or Wi-Fi, it is included. So even if an IBM i order entry operator keys the card into a bank web site for authorization in a web browser, that workstation is in scope and the rest of the infrastructure is also, including the i.”
As a matter of fact the PCI DSS was made from the point of an auditor who is familiar with Windows and Linux. IBM i has a different kind of security different to Windows and Linux. This is what made the big auditing companies to audit IBM1.
“The big companies have to have a third party perform the audit, and their familiarity with the i is minimal at best,” Chandler says. “Now that the small companies have to self-audit, they are even less prepared to translate the Windows/Linux-centric security questions into 400-ese.
IBM i security, if properly implemented, is certainly strong enough to pass PCI requirements, and is even overkill for the requirements, Chandler says. But passing PCI muster isn’t a straightforward deal, owing in part to the centralized nature of the IBM i server.
Log management adds more challenges. “The reporting required to satisfy the PCI regs would require a 3rd party product, like Townsend’s LogAgent and an external target for that traffic,” Chandler explains. “This requires intimate knowledge of security configuration on the box and even more about how the messages are interpreted by external logging software that looks for anomalies.”