Search Rocket site

How Mainframers Can Maintain PCI Compliance in Retail

Heidi Losee

July 5, 2018

Did you know that 23 of the world’s top 25 retailers rely on the mainframe to power their business? Mainframe plays an important role in the retail industry, helping all kinds of retailers deliver the personalized customer experience that shoppers are looking for. That’s possible partly because of its speed and scalability – the IBM z13 mainframe is capable of processing 2.5 billion transactions per day, which is the equivalent of roughly 100 Cyber Mondays.

But even though the mainframe is very commonly used in retail, security and compliance in retail IT may not be up to par. Anyone processing cardholder data – which means, any retailer – has to make sure their IT systems are compliant with the Payment Card Industry’s (PCI) Data Security Standards (DSS). Unfortunately, retailers aren’t always fully compliant.

The goal of PCI DSS is to protect any cardholder data that’s stored, processed, or transmitted on any platform. Protecting this data is essential. Breaches and theft of cardholder data affect the entire payment card ecosystem, with customers losing trust in merchants and financial institutions, and merchants losing business in turn. In this environment, security is of the utmost importance.

The problem is, complying with the complex PCI regulations can be challenging, especially in a mainframe environment. I wrote about this challenge in a recent article for Retail TouchPoints. Check it out for a few tips on important ways retailers using the mainframe can stay compliant and protect consumers’ data.

Part of demonstrating PCI compliance is establishing a process to identify security vulnerabilities in the IT environment. Requirement 6.1 compels businesses to: “Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.”

That can be especially difficult since mainframe vulnerabilities and patches aren’t widely communicated by vendors. When businesses don’t have full visibility into the vulnerability landscape, how can they comply with this regulation and accurately assign risk rankings? That will remain a challenge, but for now, the team at Key Resources is hard at work developing the vulnerability scanning software that retailers can rely on to secure their business.