To that end I am writing a paper on how zSecure can help you achieve compliance with the PCIDSS (Payment Card Industry Data Security Standard) - which becomes mandatory for Level 1 merchants in the Visa and Mastercard schemes from next month. That will be available on Pirean.com soon but here are some highlights. The numbered list is the "Digital Dozen" - the twelve basic requirements of the PCIDSS, and the bullets describe briefly how zSecure can help you deliver against that requirement cost effectively.
1. Install and maintain a firewall configuration to protect cardholder data.
- zSecure Audit for Unix security that protects z/OS Communication Server
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
- Audit reports to expose defaults and insecure settings.
- Admin to effect hardening changes.
- CV locks in secure position.
3. Protect stored cardholder data.
- Audit and Admin for hardening of TCB and least privilege
- CV to lock in compliance and Alert to notify attacks
- Admin and Audit for least privilege related to keys and services.
5. Use and regularly update anti-virus software.
- Audit with Track Changes for sensitive libraries.
6. Develop and maintain secure systems and applications.
- Admin and Audit for RBAC and separation of environments
7. Restrict access to cardholder data by business need-to-know.
- Admin and Audit for RBAC least privilege access control, with Access Monitor and RACF Cleanup functions.
8. Assign a unique ID to each person with computer access.
- Admin and Audit to cleanse and recertify.
- CV to prevent escalation of privileges and Alert to notify misuse.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
- Audit with Access Monitor to monitor
- CV to maintain integrity of audit trail and Alert to notify attacks
11. Regularly test security systems and processes.
- zSecure Audit supplied and bespoke reports to check status
- Change Tracking to ensure integrity of TCB
12. Maintain a policy that addresses information security.
- N/A (but CV enforces policy)
I'll let you know when the full doc is available, meantime check out my thoughts on compliance for System z in my earlier white paper here.