IBM Whitepaper
Payment Card Industry Data Security Standard
(PCI DSS)
How IBM DataPower Gateway helps with PCI DSS
Compliance
Priyanka Kohli
Product Manager – DataPower Gateways
Aug 2021
Copyright ©2021 IBM Corp.
Table of Contents
1. INTRODUCTION....................................................................................................................................... 2
2. OVERVIEW OF PCI DSS AND IBM DATAPOWER GATEWAY ............................................................. 3
3. GOALS FOR PCI DSS COMPLIANCE ...................................................................................................... 4
A) BUILD AND MAINTAIN A SECURE NETWORK AND SYSTEMS ............................................................................ 4
Requirement 1: Install and maintain a firewall configuration to protect cardholder data ............... 4
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security
parameters ....................................................................................................................................................... 4
B) PROTECT CARDHOLDER DATA ......................................................................................................................... 5
Requirement 3: Protect stored cardholder data, and, .............................................................................. 5
Requirement 4: Encrypt transmission of cardholder data across open, public networks ................. 5
C) MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM ................................................................................. 7
Requirement 5: Protect all systems against malware and regularly update anti-virus software or
programs ........................................................................................................................................................... 7
Requirement 6: Develop and maintain secure systems and applications ............................................ 8
D) IMPLEMENT STRONG ACCESS CONTROL MEASURES ....................................................................................... 8
Requirement 7: Restrict access to cardholder data by business need to know, and, ........................ 8
Requirement 8: Identify and authenticate access to system components, and, ................................ 8
Requirement 9: Restrict physical access to cardholder data .................................................................. 8
E) REGULARLY MONITOR AND TEST NETWORKS ............................................................................................... 11
Requirement 10: Track and monitor all access to network resources and cardholder data .......... 11
Requirement 11: Regularly test security systems and processes ........................................................ 12
F) MAINTAIN AN INFORMATION SECURITY POLICY .......................................................................................... 12
Requirement 12: Maintain a policy that addresses information security for all personnel ............ 12
4. CONCLUSION ......................................................................................................................................... 12
5. CONTRIBUTORS .................................................................................................................................... 13
Copyright ©2021 IBM Corp
1. Introduction
The objective of this Whitepaper is to provide information regarding
Payment Card Industry Data Security Standard (PCI DSS), and ways that
IBM DataPower Gateway (IDG) helps achieve compliance. This document
is created with reference to the requirements and security assessment
procedures listed in the PCI Security Standards Council v3.2.1
documented @
https://www.pcihispano.com/contenido/uploads/2016/09/PCI_DSS_v3-
2-1.pdf
Payment Card Industry Data Security Standard (PCI DSS) is a global
security program that was created to increase confidence in the payment
card industry and reduce risks to PCI Members, Merchants, Service
Providers and Consumers. This standard aims at increasing the controls
around cardholder data to reduce credit card fraud via its exposure. The
validation of compliance is done annually by an external Qualified Security
Assessor (QSA) for organizations handling large volumes of transactions or
by Self-Assessment Questionnaire (SAQ) for companies handling smaller
volumes.
PCI DSS is applicable for any industry that stores, processes, uses, or
transmits cardholder data and/or sensitive authentication data. The
objective of PCI DSS is to protect the cardholder’s data and sensitive
authentication data against any unauthorized access, use, disclosure,
disruption, or modification. The cardholder data includes primary account
number, cardholder name, expiration date, and service code, whereas the
Sensitive authentication data includes Full track data (magnetic-stripe
data), CAV2/CVC2/CVV2/CID, and PINs.
It’s also important to regularly review updated guidance, news, and the
latest version of the PCI DSS published by the PCI SSC @
https://www.pcisecuritystandards.org/
Copyright ©2021 IBM Corp
2. Overview of PCI DSS and IBM DataPower Gateway
IBM DataPower Gateway (IDG, DataPower) provides services enabling
applications and systems to meet regulatory compliance requirements for
PCI DSS. DataPower is a gateway that provides security, control,
integration, and optimized access to a full range of mobile, web,
application programming interface (API), service-oriented architecture
(SOA), B2B and cloud workloads.
DataPower provides configurable services that help enable PCI DSS
compliance across many industries, including Financial Services,
Insurance, Healthcare, Government, and Retail.
Ultimately, the customer is responsible for compliance, and must ensure
that applications and data meet specific compliance specifications.
DataPower helps ensure security, accessibility, and usability to achieve
that compliance. DataPower can control access to cardholder data, and is
designed to ensure security, resiliency, and efficiency.
DataPower security and compliance is applicable to all available
DataPower form factors (Physical, Virtual, Linux, Docker, and RedHat
OpenShift). DataPower provides high performance and hardened security
using Authentication, Authorization, and Auditing to provide robust
security enforcement. It also provides secure token translations to easily
integrate between multiple security protocols, message protection with
digital signature and encryption capabilities, transport protection with
TLS/SSL processing, and many more industry leading capabilities.
For detailed list of features and capabilities of IBM DataPower Gateway,
please visit here: https://www.ibm.com/products/datapower-gateway
Copyright ©2021 IBM Corp
3. Goals for PCI DSS Compliance
A) Build and Maintain a Secure Network and Systems
Requirement 1: Install and maintain a firewall configuration to protect
cardholder data
DataPower can be deployed as a security gateway in the demilitarized
zone (DMZ). Here DataPower acts as a reverse proxy for the client
application. It terminates the incoming connections, ensures that the
request messages are safe, then creates a new connection and passes the
request to services within the trusted zone. DataPower parses the
message payload and performs data validation to prevent malicious
content reaching the backend applications in the trusted zone. DataPower
provides data validation for all approved incoming and outgoing payload
with minimal latency to the message traffic.
DataPower is built not only to meet regulatory requirements, but also to
meet industry best practices. DataPower can filter message content,
metadata, or network variables. DataPower can also act as a Web
Application Firewall (WAF) by providing HTTP Protocol filtering, threat
protection, and cookie handling.
Requirement 2: Do not use vendor-supplied defaults for system
passwords and other security parameters
Administratively, setting up a Password Policy is key to any customer’s
internal controls mechanism. DataPower enforces a configurable
password policy, while customer internal controls ensure that all the other
players in the IT landscape do their part.
There are two ways to set up access control to DataPower:
Copyright ©2021 IBM Corp
• Authenticate users by locally defined accounts: In this case, you
can set up a password policy that allows for parameters such as:
Minimum Password Length, Require Mixed Case, Require Non-
Alphanumeric, Disallow Username as Substring, Maximum Password
Age, Disallow Password Reuse, and so on.
• Authenticate users outside of DataPower, such as LDAP or Active
Directory: In this case, the password policy must be defined in the
LDAP or Active Directory. This Policy Decision Point (PDP) works with
DataPower as the Policy Enforcement Point (PEP) to authenticate
users outside of DataPower.
• Role Based Management (RBM): DataPower also supports a RBM
model for fine-grained control of user access. This allows control of
specific users with specific development/administrative roles within
DataPower.
B) Protect Cardholder Data
Requirement 3: Protect stored cardholder data
PCI requires that cryptographic material used to encrypt cardholder data
be stored in a secure manner, typically this means a Hardware Security
Module (HSM). From an onboard Hardware Security Module (HSM) for
hardware appliances, to integration with network attached HSMs for
VMWare and on-premises container implementations to integration with
Cloud HSMs, DataPower has an implementation to meet your PCI
processing needs regardless of topology.
Requirement 4: Encrypt transmission of cardholder data across open,
public networks
Copyright ©2021 IBM Corp
Cardholder data must be secured both in-flight and while at-rest.
DataPower Gateway can fulfill these requirements by implementing the
following functionalities:
• Securing data while in-flight: DataPower provides in-flight security
using the Transport layer Security (TLS). It also provides support for
HTTP/S, HTTP/2, FTPS, SFTP, MQ, Kafka, and AMQP.
• Securing data while at-rest:
o Message confidentiality: DataPower allows message and field
level encryption, which ensures that no one can access the
payload without the appropriate decrypt key.
o Message integrity: A cryptographic hash allows the end user
to check if a certain message was intercepted or tampered
with.
o Non-repudiation: Digital signatures are used to determine if
the message was sent by the actual originator.
Below diagram 1 shows a sample transaction flow in DataPower gateway:
Copyright ©2021 IBM Corp
Diagram 1: Protecting Card Holder Data
C) Maintain a Vulnerability Management Program
Requirement 5: Protect all systems against malware and regularly
update anti-virus software or programs
DataPower’s firmware is cryptographically signed, meaning you can’t
install malware onto the appliance, negating the need for antivirus to be
run on hardware or VMWare form factors.
Messages with attachments carry additional payload through
attachments, and therefore attachments need to be scanned for viruses
before they are permitted to enter the secure zone of any organization.
DataPower does not provided an integrated anti-virus capability.
Copyright ©2021 IBM Corp
DataPower does support the ICAP protocol, which supports off board anti-
virus scanning. It leverages the ICAP protocol with vendor-acquired anti-
virus scanner products to complement its own in-built security features.
The main objective of this configuration is to filter out any malicious
messages at the DMZ layer of the network, where DataPower is deployed
as an edge of network security gateway.
Requirement 6: Develop and maintain secure systems and applications
In DataPower you can:
• Install the latest firmware: Firmware upgrades are easy and quick.
If there are any issues with the newly installed firmware, then rolling
back to the previous version can be achieved within minutes.
• Use change control: Any changes to the DataPower service objects
leave a trail in the audit logs.
• Use secure coding guidelines: DataPower adheres to the Open Web
Application Security Project (OWASP) secure coding guidelines.
D) Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need to
know, and,
Requirement 8: Identify and authenticate access to system
components, and,
Requirement 9: Restrict physical access to cardholder data
All the above requirements can be satisfied by having strong “AAA”:
Copyright ©2021 IBM Corp
1. Authentication: Verify the identity of the request sender.
2. Authorization: Determine if the sender has access to the requested
resource.
3. Auditing: Keep records of any attempts that access the resources
process.
Below diagram 2 shows how DataPower implements these security
measures using the aforementioned "AAA" action.
Diagram 2: Security measures implemented by DataPower
The DataPower AAA action performs the three security processes:
authentication, authorization, and auditing.
1. In the first step, it extracts the identity token from the message. To
verify the claims made by this token, the action authenticates it against
either an on-board ID store, or an external access control server. Once
Copyright ©2021 IBM Corp
the client's identity has been confirmed, you have the option of
mapping the client's credentials to one of the users or groups defined
by the service. The LDAP interface is always encrypted to ensure no
sensitive user data is transmitted ‘in the open’.
2. In the second step, the action extracts the requested resource from the
message. It then checks if the authenticated user has permission to
access the requested resource.
3. In the final step, the action performs auditing and accounting. The
action records any access attempts, successful or unsuccessful, for
monitoring and non-repudiation purposes. Additionally, the action can
also perform post-processing steps, such as generating SAML or LTPA
tokens for single sign on. Data recorded/logged as part of the audit can
be properly encrypted to ensure that any sensitive user data is not
visible in the log files.
Below diagram 3 shows an example scenario for access control and
credentials mapping in DataPower Gateway:
Diagram 3: Access Control and Credential mapping
Copyright ©2021 IBM Corp
The request follows the following path before reaching the backend:
Step 1: Client sends a request to the application server
Step 2: This request carries client username and password to DataPower
Gateway
Step 3: DataPower performs the authentication of the client via LDAP
Step 4: DataPower maps the credentials for unified communication with
backend after authentication and authorization of the client user.
E) Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources
and cardholder data
This requirement is met by maintaining a strict audit trail of all activities
related to services that process cardholder data, as mandated by the
organization’s internal controls. While DataPower plays its part, all the
players in the IT landscape need to follow the logging requirements.
DataPower supports off-application logging, using protocols such as
syslog and syslog-ng, or by writing the logs to a remote NFS mount.
DataPower never shares its file system, but it can connect to a shared file
system on other servers. There is a full suite of logging formats and
protocols available as well as a model for specifying event notifications at
various levels or granularity.
The logging utility works on the principle of publish and subscribe. Objects
publish log messages. Log targets subscribe to message streams. More
than one log target can subscribe to the same set of log messages. This
allows DataPower to distribute log messages to multiple destinations,
including network management consoles, file servers, and databases.
Again, Data recorded/logged as part of the audit can be properly
encrypted to ensure that the sensitive user data is not visible in the log
files.
Copyright ©2021 IBM Corp
Requirement 11: Regularly test security systems and processes
Testing is a necessary aspect of any security framework. Customers
should regularly test systems, policies and procedures and update when
vulnerabilities are found. Included in that testing should be regular
reviews of DataPower fixpacks and security updates that are regularly
published by IBM. Adopting the latest fixes is key to maintaining a strong
DataPower security position.
F) Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
for all personnel
DataPower acts as a Policy Enforcement Point (PEP) to implement security
policies. It provides Security Policy Management and is designed to be
universally understood by multiple software solutions.
DataPower provides easy configuration and management of resources and
services via Web GUI, CLI, IDE, and Eclipse configuration to address the
needs of Developers, Administrators, Architect’s, Network Operations, and
Security teams.
4. Conclusion
As described in this document, IBM DataPower Gateway can be used as a
core component to help achieve PCI compliance. The features and
capabilities described in this document are all available as standard,
configurable services within DataPower. IBM has worked with many
clients around the globe to help them achieve PCI compliance using
DataPower Gateway. For further help or assistance, please reach out to
your IBM Representative, or contact IBM at www.ibm.com
Copyright ©2021 IBM Corp
5. Contributors
The following were involved in deciding and validating the content along
with the author of this whitepaper:
• Steven Cawn
• Bob Johnson
• Christopher Khoury
• Shiu-Fun Poon
• Andrew White
Copyright ©2021 IBM Corp