This article claims mainframes have problems adhering to PCI and shouldn’t be used to drive ATMs, but this is a huge oversimplification. The IBM Z systems are explicitly called out but the IBM Z will run a range of operating systems including Linux, z/OS, z/VSE, z/TPF, and z/VM. So who is responsible for PCI compliance when the application is in Linux?
The article suggests that the senior management might fail to audit the mainframe, which is then entirely on that company, not the mainframe hardware. PCI compliance is not technology-specific it requires system architects and programmers to consider how PCI compliance will be implemented as the system is developed, regardless of hardware or operating system:
“Late last year, the PCI Security Standards Council and ATM Industry Association jointly issued a bulletin warning about cash-out attacks on ATMs in which fraudsters manipulated fraud detection mechanisms and stole money from ATMs. In a blog, the organizations recommended that banks operating ATMs through a mainframe use software designed to monitor any unusual changes in files that could indicate unauthorized access or malicious behavior. Such software is referred to as file integrity monitoring. File integrity monitoring became part of PCI regulation updates two years ago to address new needs as technology advances.
But though banks continue to lean on mainframes to process most transactions, including payments, experts wonder whether they are paying enough attention to this PCI recommendation. According to IBM, 44 of the top 50 banks use the IBM Z mainframe and 86% of all credit card transactions run through the Z mainframe.
PCI compliance efforts can slip past a bank security team for any number of reasons, one being the belief that the mainframe has been within PCI scope all along, another that upcoming changes will make mainframe compliance a moot point.”
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group