PCI Check Box Compliance – Volume 1

We just started an engagement with a new client a week ago.  While reviewing documentation, we came across this situation that I had to share because it points out how some QSAs out there just want to check a box and not use their heads.  It is this sort of mentality that gives all QSAs a black eye and it needs to stop.

In order to meet requirement 5 of the PCI DSS, one of the biggest QSACs required our new client to get anti-virus software for their IBM iSeries (aka AS/400) mainframe.  The rationale?  If there is an anti-virus solution published for an OS platform, there must be a virus or malware out there that it protects it from.  Whoa!

This client also has AIX running, IBM’s UNIX derivative.  Technically, ClamAV can be recompiled and installed on AIX, yet the QSA did not tell the client that they needed anti-virus on AIX.  So much for consistency.

Even without a decent technical background, a review of the Web sites offering anti-virus solutions for the iSeries would tell you that your logic was patently wrong.  All of the anti-virus solutions for the iSeries are very clear that the iSeries does not have any viruses or malware, but it can be a carrier if you have mountable file systems for Windows or UNIX defined on your iSeries.  In the case of this client, they do not have any mountable shares, so there is no risk.

However, if you do have an iSeries that has implemented Windows or NFS shares, there is a much simpler way to handle this situation.  Just use one of your existing systems that does have anti-virus installed to scan the mountable shares on the iSeries weekly.  We had recommended this sort of approach for years for NetWare environments which had notorious problems with anti-virus solutions that were installed under NetWare.  The NetWare shares were scanned by a Windows system that had administrator rights so it could scan everything in the mountable volumes.

I will not bore you with all of the technical details, but there are a number of reasons why an iSeries, or IBM zSeries, Unisys ClearPath and other ‘old’ technology systems for that matter, cannot be infected like a PC.  These mainframe systems are almost impossible to infect directly if they are running their ‘old’, proprietary operating systems such as zOS, MCP and the like.  The controls surrounding true ‘root’ access on these OSes are such that you really must be a ‘Geek God’ to have such rights.  Even systems programmers in these environments do not have those kinds of rights.  And then, even if you did have the ultimate rights, there are other controls in place that would only allow your code to function on a particular computer complex, so it would not necessarily be transferrable to another system.  So much for infecting others.

But there is a risk with these platforms.  Most of these systems also will run slightly modified versions of Linux and UNIX and those can definitely be infected.  In those cases, all bets are off and you need to treat this big iron just like their Intel brethren.

So, the lesson to be learned from this experience?  If you do not have expertise with a platform, find someone that does have that expertise.  After all, not everyone working on a PCI assessment must be a QSA.  The QSA just needs to always be on-site when the work is being performed.  So, use someone in your organization that has the platform expertise or find a sub-contractor that has the expertise, but do not try to wing it.  Winging it only makes all of us look bad.


1 Response to “PCI Check Box Compliance – Volume 1”

  1. 1 boge
    April 19, 2011 at 1:02 PM

    Nice article….but lots of users on iseries will have god rights, why you ask is because they think the OS is great and secure but it is only secure if you turn on all the security, windows is very secure if you turn it all on but just like all OS if you turn it off then it is wide open. I know this because I work with a system that all the it department have full rights to do anything, this automatically makes the system unsecure.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


November 2009
« Oct   Dec »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,941 other followers


%d bloggers like this: