Search Rocket site

PCI Compliance in the Mainframe: A Q&A with David Gamey of Control Gap

Heidi Losee

June 27, 2018

In the security world, few subjects receive more headlines than stories about credit card breaches. This one article alone covers four different companies that experienced data breaches earlier this year, affecting millions of credit cards. The headlines are littered with these cases because credit card breaches affect so many people, including average consumers who might otherwise never think twice about data security.

That’s part of the reason why the credit card companies formed up to create the Payment Card Industry Security Standards Council, which is managed jointly by American Express, VISA, MasterCard, Discover and JCB International. The PCI Data Security Standards (DSS) were developed to create controls for merchants that store, process, or transmit cardholder data on any platform.

Ultimately, that means that IT professionals are tasked with making sure their organizations are adequately protecting cardholder data. That includes mainframe professionals – 87 percent of the world’s credit card transactions are processed on the mainframe. And yet, as I wrote in a recent piece for Bankless Times, many mainframes are currently not being evaluated or scanned accurately for PCI DSS compliance.

To explore the relationship between PCI compliance and mainframes, I spoke to David Gamey of Control Gap, a company that helps businesses understand and maintain PCI compliance. David also has a background in mainframe security, so he’s an expert on this topic. As he explained, it’s hard enough to stay compliant on distributed platforms, but things only get more complicated when you’re dealing with mainframes.

Why is it so uniquely difficult to manage PCI compliance in a mainframe environment?

Mainframe is sort of a specialized art, and unless you’ve had experience in that world, which is not a main focus for a lot of people, applying PCI to the mainframe can present unique challenges. The DSS isn’t necessarily written to deal with the complexities of mainframe, and yet PCI compliance often requires you to have a deep technical understanding of the technology you’re working with.

Also, current-day security testing practice, techniques and vulnerability management systems don’t actively research or address the information security profile of mainframe systems and applications. This leaves them as somewhat of an unknown from a security posture and to security practitioners. It’s not only the secrecy, but that large companies like banks and financial institutions are also risk-averse to subject mainframes to best practice security testing and scanning, as they’re concerned about possible downtime caused by the testing.

What challenges might mainframe programmers encounter when trying to comply with the PCI DSS?

PCI requires that you patch critical security vulnerabilities within a certain period of time. It’s resource-intensive work: a patch list could have hundreds of patches, and they take time to apply.

A common challenge with the mainframe is simply identifying whether or not you have the most recent patches, because there is no public database that tracks mainframe vulnerabilities or fixes. Typically, mainframe programmers will need to check with their vendors to see if they’re up to date on patches, but vendors don’t share details explaining why a patch was released. So, it’s very hard to get a list of recently discovered vulnerabilities.

That makes it hard to follow another requirement under PCI, which states that companies should create a risk-ranking process, in which they identify and evaluate newly discovered security vulnerabilities that might have an impact on their organization. The lack of transparency and public reporting around mainframe vulnerabilities means organizations have a hard time satisfying this requirement.

What kinds of risk does that situation create for organizations?

Many organizations just decide that the effort isn’t worth it, so they decide to move credit card data off the mainframe so they don’t have to deal with it. That’s a big risk – the mainframe is a platform that, if properly configured and maintained, can offer the very best in world-class security.

But, because of the complexity, these companies are choosing not to store some of their most sensitive data on the mainframe. Now that data is on a distributed platform where it’s more vulnerable to common cybersecurity risks like ransomware. I don’t think this is happening in the financial industry as much as it is in retail and others.

This kind of scope reduction is effective when done right, but a lot of CIOs today are doing it out of convenience or cost concerns, and it might actually be putting them more at risk.

So, what’s the best way to securely manage cardholder data on the mainframe?

PCI is an open book test. If you get the right stakeholders and the right technology in the room with experts who know the regulations, there’s no reason to fail this. Rather than compartmentalizing to be an IT issue or security issue, you have to get the full organization on board to understand the challenges and come up with the right kind of program that keeps data safe and saves you money in the long run.

As you dig in, you’re going to have hard questions. Some organizations have to fundamentally look at how they do business and decide if something needs to change so they can meet security and compliance requirements.

PCI is pass/fail: You’re either compliant or not. If you’re not going to be compliant there are other controls to put in place, but this is not a job for two weeks before your audits. You want to have it well planned out and integrated into your organization’s control structure.

To learn more about David and Control Gap, visit