IBM Whitepaper

Payment Card Industry Data Security Standard

(PCI DSS)

How IBM DataPower Gateway helps with PCI DSS

Compliance

Priyanka Kohli
Product Manager – DataPower Gateways

Aug 2021

Copyright ©2021 IBM Corp.

Table of Contents
1. INTRODUCTION....................................................................................................................................... 2
2. OVERVIEW OF PCI DSS AND IBM DATAPOWER GATEWAY ............................................................. 3
3. GOALS FOR PCI DSS COMPLIANCE ...................................................................................................... 4
A) BUILD AND MAINTAIN A SECURE NETWORK AND SYSTEMS ............................................................................ 4
Requirement 1: Install and maintain a firewall configuration to protect cardholder data ............... 4
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security
parameters ....................................................................................................................................................... 4
B) PROTECT CARDHOLDER DATA ......................................................................................................................... 5
Requirement 3: Protect stored cardholder data, and, .............................................................................. 5
Requirement 4: Encrypt transmission of cardholder data across open, public networks ................. 5
C) MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM ................................................................................. 7
Requirement 5: Protect all systems against malware and regularly update anti-virus software or
programs ........................................................................................................................................................... 7
Requirement 6: Develop and maintain secure systems and applications ............................................ 8
D) IMPLEMENT STRONG ACCESS CONTROL MEASURES ....................................................................................... 8
Requirement 7: Restrict access to cardholder data by business need to know, and, ........................ 8
Requirement 8: Identify and authenticate access to system components, and, ................................ 8
Requirement 9: Restrict physical access to cardholder data .................................................................. 8
E) REGULARLY MONITOR AND TEST NETWORKS ............................................................................................... 11
Requirement 10: Track and monitor all access to network resources and cardholder data .......... 11
Requirement 11: Regularly test security systems and processes ........................................................ 12
F) MAINTAIN AN INFORMATION SECURITY POLICY .......................................................................................... 12
Requirement 12: Maintain a policy that addresses information security for all personnel ............ 12
4. CONCLUSION ......................................................................................................................................... 12
5. CONTRIBUTORS .................................................................................................................................... 13

Copyright ©2021 IBM Corp

1. Introduction

The objective of this Whitepaper is to provide information regarding

Payment Card Industry Data Security Standard (PCI DSS), and ways that
IBM DataPower Gateway (IDG) helps achieve compliance. This document
is created with reference to the requirements and security assessment
procedures listed in the PCI Security Standards Council v3.2.1
documented @
https://www.pcihispano.com/contenido/uploads/2016/09/PCI_DSS_v3-
2-1.pdf

Payment Card Industry Data Security Standard (PCI DSS) is a global

security program that was created to increase confidence in the payment
card industry and reduce risks to PCI Members, Merchants, Service
Providers and Consumers. This standard aims at increasing the controls
around cardholder data to reduce credit card fraud via its exposure. The
validation of compliance is done annually by an external Qualified Security
Assessor (QSA) for organizations handling large volumes of transactions or
by Self-Assessment Questionnaire (SAQ) for companies handling smaller
volumes.

PCI DSS is applicable for any industry that stores, processes, uses, or
transmits cardholder data and/or sensitive authentication data. The
objective of PCI DSS is to protect the cardholder’s data and sensitive
authentication data against any unauthorized access, use, disclosure,
disruption, or modification. The cardholder data includes primary account
number, cardholder name, expiration date, and service code, whereas the
Sensitive authentication data includes Full track data (magnetic-stripe
data), CAV2/CVC2/CVV2/CID, and PINs.

It’s also important to regularly review updated guidance, news, and the
latest version of the PCI DSS published by the PCI SSC @
https://www.pcisecuritystandards.org/

Copyright ©2021 IBM Corp

2. Overview of PCI DSS and IBM DataPower Gateway

IBM DataPower Gateway (IDG, DataPower) provides services enabling

applications and systems to meet regulatory compliance requirements for
PCI DSS. DataPower is a gateway that provides security, control,
integration, and optimized access to a full range of mobile, web,
application programming interface (API), service-oriented architecture
(SOA), B2B and cloud workloads.

DataPower provides configurable services that help enable PCI DSS

compliance across many industries, including Financial Services,
Insurance, Healthcare, Government, and Retail.

Ultimately, the customer is responsible for compliance, and must ensure

that applications and data meet specific compliance specifications.
DataPower helps ensure security, accessibility, and usability to achieve
that compliance. DataPower can control access to cardholder data, and is
designed to ensure security, resiliency, and efficiency.

DataPower security and compliance is applicable to all available

DataPower form factors (Physical, Virtual, Linux, Docker, and RedHat
OpenShift). DataPower provides high performance and hardened security
using Authentication, Authorization, and Auditing to provide robust
security enforcement. It also provides secure token translations to easily
integrate between multiple security protocols, message protection with
digital signature and encryption capabilities, transport protection with
TLS/SSL processing, and many more industry leading capabilities.

For detailed list of features and capabilities of IBM DataPower Gateway,

please visit here: https://www.ibm.com/products/datapower-gateway

Copyright ©2021 IBM Corp

3. Goals for PCI DSS Compliance

A) Build and Maintain a Secure Network and Systems

Requirement 1: Install and maintain a firewall configuration to protect

cardholder data

DataPower can be deployed as a security gateway in the demilitarized

zone (DMZ). Here DataPower acts as a reverse proxy for the client
application. It terminates the incoming connections, ensures that the
request messages are safe, then creates a new connection and passes the
request to services within the trusted zone. DataPower parses the
message payload and performs data validation to prevent malicious
content reaching the backend applications in the trusted zone. DataPower
provides data validation for all approved incoming and outgoing payload
with minimal latency to the message traffic.

DataPower is built not only to meet regulatory requirements, but also to

meet industry best practices. DataPower can filter message content,
metadata, or network variables. DataPower can also act as a Web
Application Firewall (WAF) by providing HTTP Protocol filtering, threat
protection, and cookie handling.

Requirement 2: Do not use vendor-supplied defaults for system

passwords and other security parameters

Administratively, setting up a Password Policy is key to any customer’s

internal controls mechanism. DataPower enforces a configurable
password policy, while customer internal controls ensure that all the other
players in the IT landscape do their part.

There are two ways to set up access control to DataPower:

Copyright ©2021 IBM Corp

 • Authenticate users by locally defined accounts: In this case, you
can set up a password policy that allows for parameters such as:
Minimum Password Length, Require Mixed Case, Require Non-
Alphanumeric, Disallow Username as Substring, Maximum Password
Age, Disallow Password Reuse, and so on.

• Authenticate users outside of DataPower, such as LDAP or Active

Directory: In this case, the password policy must be defined in the
LDAP or Active Directory. This Policy Decision Point (PDP) works with
DataPower as the Policy Enforcement Point (PEP) to authenticate
users outside of DataPower.

• Role Based Management (RBM): DataPower also supports a RBM

model for fine-grained control of user access. This allows control of
specific users with specific development/administrative roles within
DataPower.

B) Protect Cardholder Data

Requirement 3: Protect stored cardholder data

PCI requires that cryptographic material used to encrypt cardholder data

be stored in a secure manner, typically this means a Hardware Security
Module (HSM). From an onboard Hardware Security Module (HSM) for
hardware appliances, to integration with network attached HSMs for
VMWare and on-premises container implementations to integration with
Cloud HSMs, DataPower has an implementation to meet your PCI
processing needs regardless of topology.

Requirement 4: Encrypt transmission of cardholder data across open,

public networks

Copyright ©2021 IBM Corp

Cardholder data must be secured both in-flight and while at-rest.
DataPower Gateway can fulfill these requirements by implementing the
following functionalities:

• Securing data while in-flight: DataPower provides in-flight security

using the Transport layer Security (TLS). It also provides support for
HTTP/S, HTTP/2, FTPS, SFTP, MQ, Kafka, and AMQP.

• Securing data while at-rest:

o Message confidentiality: DataPower allows message and field

level encryption, which ensures that no one can access the
payload without the appropriate decrypt key.

o Message integrity: A cryptographic hash allows the end user

to check if a certain message was intercepted or tampered
with.

o Non-repudiation: Digital signatures are used to determine if

the message was sent by the actual originator.

Below diagram 1 shows a sample transaction flow in DataPower gateway:

Copyright ©2021 IBM Corp

 Diagram 1: Protecting Card Holder Data

C) Maintain a Vulnerability Management Program

Requirement 5: Protect all systems against malware and regularly

update anti-virus software or programs

DataPower’s firmware is cryptographically signed, meaning you can’t

install malware onto the appliance, negating the need for antivirus to be
run on hardware or VMWare form factors.

Messages with attachments carry additional payload through

attachments, and therefore attachments need to be scanned for viruses
before they are permitted to enter the secure zone of any organization.
DataPower does not provided an integrated anti-virus capability.
Copyright ©2021 IBM Corp
DataPower does support the ICAP protocol, which supports off board anti-
virus scanning. It leverages the ICAP protocol with vendor-acquired anti-
virus scanner products to complement its own in-built security features.
The main objective of this configuration is to filter out any malicious
messages at the DMZ layer of the network, where DataPower is deployed
as an edge of network security gateway.

Requirement 6: Develop and maintain secure systems and applications

In DataPower you can:

• Install the latest firmware: Firmware upgrades are easy and quick.
If there are any issues with the newly installed firmware, then rolling
back to the previous version can be achieved within minutes.

• Use change control: Any changes to the DataPower service objects

leave a trail in the audit logs.

• Use secure coding guidelines: DataPower adheres to the Open Web

Application Security Project (OWASP) secure coding guidelines.

D) Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need to

know, and,

Requirement 8: Identify and authenticate access to system

components, and,

Requirement 9: Restrict physical access to cardholder data

All the above requirements can be satisfied by having strong “AAA”:

Copyright ©2021 IBM Corp

 1. Authentication: Verify the identity of the request sender.
2. Authorization: Determine if the sender has access to the requested
resource.
3. Auditing: Keep records of any attempts that access the resources
process.

Below diagram 2 shows how DataPower implements these security

measures using the aforementioned "AAA" action.

Diagram 2: Security measures implemented by DataPower

The DataPower AAA action performs the three security processes:

authentication, authorization, and auditing.

1. In the first step, it extracts the identity token from the message. To
verify the claims made by this token, the action authenticates it against
either an on-board ID store, or an external access control server. Once

Copyright ©2021 IBM Corp

 the client's identity has been confirmed, you have the option of
mapping the client's credentials to one of the users or groups defined
by the service. The LDAP interface is always encrypted to ensure no
sensitive user data is transmitted ‘in the open’.

2. In the second step, the action extracts the requested resource from the
message. It then checks if the authenticated user has permission to
access the requested resource.

3. In the final step, the action performs auditing and accounting. The
action records any access attempts, successful or unsuccessful, for
monitoring and non-repudiation purposes. Additionally, the action can
also perform post-processing steps, such as generating SAML or LTPA
tokens for single sign on. Data recorded/logged as part of the audit can
be properly encrypted to ensure that any sensitive user data is not
visible in the log files.

Below diagram 3 shows an example scenario for access control and

credentials mapping in DataPower Gateway:

Diagram 3: Access Control and Credential mapping

Copyright ©2021 IBM Corp

The request follows the following path before reaching the backend:

Step 1: Client sends a request to the application server

Step 2: This request carries client username and password to DataPower
Gateway
Step 3: DataPower performs the authentication of the client via LDAP
Step 4: DataPower maps the credentials for unified communication with
backend after authentication and authorization of the client user.

E) Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources

and cardholder data

This requirement is met by maintaining a strict audit trail of all activities

related to services that process cardholder data, as mandated by the
organization’s internal controls. While DataPower plays its part, all the
players in the IT landscape need to follow the logging requirements.

DataPower supports off-application logging, using protocols such as

syslog and syslog-ng, or by writing the logs to a remote NFS mount.
DataPower never shares its file system, but it can connect to a shared file
system on other servers. There is a full suite of logging formats and
protocols available as well as a model for specifying event notifications at
various levels or granularity.

The logging utility works on the principle of publish and subscribe. Objects
publish log messages. Log targets subscribe to message streams. More
than one log target can subscribe to the same set of log messages. This
allows DataPower to distribute log messages to multiple destinations,
including network management consoles, file servers, and databases.
Again, Data recorded/logged as part of the audit can be properly
encrypted to ensure that the sensitive user data is not visible in the log
files.

Copyright ©2021 IBM Corp

Requirement 11: Regularly test security systems and processes

Testing is a necessary aspect of any security framework. Customers

should regularly test systems, policies and procedures and update when
vulnerabilities are found. Included in that testing should be regular
reviews of DataPower fixpacks and security updates that are regularly
published by IBM. Adopting the latest fixes is key to maintaining a strong
DataPower security position.

F) Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

for all personnel

DataPower acts as a Policy Enforcement Point (PEP) to implement security

policies. It provides Security Policy Management and is designed to be
universally understood by multiple software solutions.

DataPower provides easy configuration and management of resources and

services via Web GUI, CLI, IDE, and Eclipse configuration to address the
needs of Developers, Administrators, Architect’s, Network Operations, and
Security teams.

4. Conclusion

As described in this document, IBM DataPower Gateway can be used as a

core component to help achieve PCI compliance. The features and
capabilities described in this document are all available as standard,
configurable services within DataPower. IBM has worked with many
clients around the globe to help them achieve PCI compliance using
DataPower Gateway. For further help or assistance, please reach out to
your IBM Representative, or contact IBM at www.ibm.com

Copyright ©2021 IBM Corp

5. Contributors

The following were involved in deciding and validating the content along
with the author of this whitepaper:

• Steven Cawn
• Bob Johnson
• Christopher Khoury
• Shiu-Fun Poon
• Andrew White

Copyright ©2021 IBM Corp