Achieving PCI Compliance for Legacy Host Access

Credit card security is a top priority - for both consumers and businesses. But what happens if there is a security breach exposing critical data to unknown sources? What can businesses do from an IT perspective to ensure they're protecting consumer information? When sensitive cardholder information resides in legacy host systems, host access technology can be a critical tool to help organizations successfully achieve PCI DSS compliance. This article will address how to reduce time to compliance and support safer information sharing, putting organizations well on a path toward compliance with newer regulations.

To enhance payment account data security and ensure data privacy for consumers, major credit card companies - including Visa, MasterCard, and American Express - joined forces to create the Payment Card Industry Data Security Standard (PCI DSS), a set of 12 comprehensive data security requirements. Companies that transmit, process, or store credit card data are now expected to comply with these 12 requirements, and face mandatory quarterly security scans and, depending on volume, annual self-assessments or even audits. The PCI DSS mandate continues to be revised and updated with changes as recent as October 2008. These standards are evaluated on an ongoing basis to address emerging payment security risks and ensure organizations are proactively protecting customer account data.

The Twelve PCI Requirements*

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security paramaters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update antivirus software.
  6. Develop and maintain security systems and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physcial access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that adresses information security.

The 12 requirements fall within six control objectives. These objectives are to 1) build and maintain a secure network, 2) protect cardholder data, 3) maintain a vulnerability management program, 4) implement strong access control measures, 5) regularly monitor and test networks and lastly, 6) maintain an information security policy.  The requirements themselves range from being relatively easy to implement - such as ensuring up-to-date antivirus software - to complex and demanding - such as tracking access to network resources and cardholder data. Implementation can often cross departmental boundaries, involve several teams, and affect multiple system platforms - an effort that can be both time consuming and expensive.

As organizations begin to assess where cardholder data resides, it's critical they scrutinize their legacy assets - namely their host systems; mainframes, midrange systems, UNIX servers.  Access to cardholder information through the mission-critical applications and files that live on these systems is typically achieved with client-based terminal emulation and file transfer utilities.  This method of accessing cardholder data must be made PCI compliant.

While there's no blanket solution that can cover all six areas and 12 requirements with regard to cardholder data on legacy systems, the right host access technologies can play a significant role in helping organizations achieve PCI DSS compliance. The use of these tools can reduce time-to-compliance and support safer information sharing, as well as put organizations on a successful path toward compliance as PCI evolves and even newer regulations are born

Host-Centric Security

Let's begin by addressing host-centric security issues. Legacy host systems store highly-sensitive cardholder data and run applications that enable access to that private information. Host systems may also hold cardholder data in files that need to be transferred over public networks. Due to the sensitive nature of the data, organizations need to restrict access to this data and encrypt it as it travels over the network. 

Users and system administrators also frequently rely on client-based utilities for accessing host applications and files. The user IDs and passwords used to gain access to host systems, as well as the sensitive information passing between the workstation and the host system, all need protection from prying eyes while in transit.

Lastly, client terminal emulators and file transfer clients by design provide access to the systems that host private data - which means that additional controls around access to these utilities themselves may need to be considered.

Well-designed terminal emulation and file transfer products can help ease time-to-compliance in seven of the 12 PCI requirements, beginning with making secure connections to applications on legacy host systems. Employing a proven, feature-rich product or product suite will provide a complete range of encryption, authentication, and data integrity options.

Where PCI and Legacy Hosts Intersect

The intersection of PCI compliance and legacy host access can generally encompass requirements one, two,  three, four, and six.  When leveraging browser-based host access solutions, requirements seven, eight and 10 also come into play.

Requirement One

Requirement one instructs organizations to "install and maintain a firewall configuration to protect cardholder data."  Certain protocols - including Secure Sockets Layer (SSL) and Secure Shell (SSH) - may pass through the firewall without special justification or documentation. Other protocols such as FTP, which are highly risky, require justification and documentation to be allowed through the firewall.

The answer? Organizations need to choose and use strong terminal emulation technology that will support encryption of the terminal data stream using acceptable secure protocols, including SSH and SSL/TLS. Legacy FTP-based file transfer utilities need to be upgraded to support SFTP and FTP/S communications that leverage the acceptable SSH and SSL/TLS secure protocols respectively.

Requirement Two

Requirement two says, "Do not use vendor-supplied defaults for system passwords and other security parameters." This also relates to administrative access to key systems through methods other than a directly-connected console. 

The response here is to enable nonconsole administrative access to host systems with products that support the encryption of the terminal data stream using secure protocols such as SSH and SSL/TLS.  Some vendors also provide SSH servers allowing them to offer technical support and guaranteed interoperability for both ends of the connection; other vendors provide only SSH client capabilities.

Requirement Three

You can "protect stored cardholder data," with the right terminal emulator by masking primary account numbers. What's required is an emulator that includes a configurable privacy filters feature capable of concealing account numbers displayed in history windows, printed reports, and clipboards.

Requirement Four

Requirement four mandates that organizations' "sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals." Strong cryptography and security protocols should be used to safeguard sensitive cardholder data in transit.

Tackling this requirement is possible with a product that encrypts terminal and file transfer data streams using acceptable secure protocols, including SSH and SSL/TLS.  Additionally, your secure solution should offer approaches for encrypting connections to host systems, such as Unisys, that lack native encryption support.

All implementations of the SSH and SSL/TLS protocols should use strong cryptography - including Triple DES and AES algorithms - to encrypt cardholder data sent over the network. Look for solutions that claim FIPS 140-2 validation through an accredited third party.

Requirement Six

Compliance with requirement six, to develop and maintain secure systems and applications includes installing vendor-supplied security patches shortly after their release.  This can be problematic.

To keep up with the rapidly evolving landscape of security threats, you need to partner with a vendor that monitors the leading security alert services and notifies you of relevant security vulnerabilities. Your vendor partner should employ security experts who maintain a series of technical notes, available on a support site, that describe published security vulnerabilities. If the product you're using is affected, you should be able to download the appropriate security patches. Your vendor's technical support team should be available to help you deal with any security issues that arise in their products.

PCI and Web-Based Host Access

Some host access solutions extend terminal emulation and file transfer clients into the realm of the web browser.  Through this approach, organizations can gain the benefit of web-based provisioning and centralized access to configurations. When browser-based host access tools are employed, the PCI requirements seven, eight and 10 become relevant.

Requirement Seven

Requirement seven mandates the restricting of access to cardholder data by business need-to-know. Only users whose job requires access to cardholder data can be granted that access, and the default configuration for users, unless otherwise allowed, should be set to "deny all."

All host systems offer some level of authorization and access control. Well-designed host access software will also allow you to add an additional layer of security that lets you control access to the applications such as terminal emulators and file transfer utilities that access your hosts.

Here is one way to approach it: Users can be required to sign onto a web site that provides links to terminal emulation and file transfer sessions. Authentication and authorization for sessions can be managed through your existing access control directory (e.g., Active Directory) allowing you to control access at the user or group level. The default setting should deny access to unauthorized users.

Requirement Eight

"Implementing strong access control," Requirement eight directs organizations to "assign a unique ID to each person with computer access." It is well known that best practices for access control include the requirement that users identify themselves prior to receiving access to cardholder data. Support for a variety of authentication methodologies enables the use of two-factor authentication for remote access.

Put an authentication and authorization layer in front of access to terminal emulation and file transfer utilities that allows the unique IDs assigned within an existing user directory to be used for access control. In addition to password-based authentication, the solution should also support digital certificates for two-factor authentication.

Requirement 10

To effectively track and monitor all access to network resources and cardholder data in requirement 10, utilize host access technology that offers the ability to track host access activities at the user level through logging mechanisms.

Requirement 10 governs which events get logged for the purpose of auditing and which specific data points get captured in each logged event. A strong browser-based host access solution should log incoming access events and record details about the host systems to which users are connecting.

The Road to Compliance

Meeting the wide range of PCI DSS requirements isn't easy. The effort involved can be both time consuming and expensive for organizations. And unfortunately, no single security solution can meet all of your PCI compliance needs.

But selecting a secure host access solution, based on the above information, will help your organization take a big step towards PCI compliance.  You should also look for a secure shell solution that includes both SSH client and SSH server technology across a broad range of platforms, including UNIX, Linux and Windows, to guarantee interoperability. The right products, with tools that reside on both servers and user workstations, can reduce your time to compliance and support safer information sharing.

The 12 PCI requirements encapsulate many key principles of data security best practices.  Your efforts in achieving PCI compliance will make your IT environment more resistant to data security threats, and will facilitate compliance with other data security regulations your company encounters as time goes on.

*PCI DSS and "The Twelve PCI Requirements" Copyright © 2006 - 2009 PCI Security Standards Council, LLC. All rights reserved.