Requirement 8: Facilitate secure network implementation

Details about how requirement 8 and subrequirements 8.1, 8.2, and 8.3 are fulfilled.

Requirement 8.1

The payment application must be able to be implemented into a secure network environment. Application must not interfere with use of devices, applications, or configurations required for PCI DSS compliance (for example, payment application cannot interfere with anti-virus protection, firewall configurations, or any other device, application, or configuration required for PCI DSS compliance).

This requirement is met by IBM® Safer Payments.

Note: For performance reasons regular on demand anti-virus protection scans are preferred over on access scans for IBM Safer Payments ddc directories.

Requirement 8.2

The payment application must only use or require use of necessary and secure services, protocols, daemons, components, and dependent software and hardware, including those provided by third parties, for any functionality of the payment application. For example, if NetBIOS, file-sharing, Telnet, FTP, etc., are required by the application, they are secured via SSH, S-FTP, TLSv1.2, IPSec, or other technology.

The following services, protocols, daemons, components, and dependent software and hardware are required and used by IBM Safer Payments:

  • Computer hardware that supports the operating system.
  • Operating system. Refer to System requirements for the list of operating systems that are supported with this IBM Safer Payments release in a PCI DSS compliant environment.
  • IP/http networking secured by TLSv1.2
  • syslog
  • SMTP (optional) secured by TLSv1.2
  • LDAP (optional) secured by TLSv1.2
  • The following libraries are linked statically:
    • openssl-1.1.1n
    • zlib-1.2.11
      • minizip
    • boost_1_70_0
    • bzip2-1.0.8
    • snmp++ 2.6
    • minizip 1.1
    • opencv-4.1.1
    • Itx
    • rapidjson
    • librdkafka-1.3.0
  • The list of dynamically linked libraries can be obtained by running the following command from a shell:
    ldd /usr/bin/iris
  • In case you want to use the ODBC interface in case actions or notifications IBM Safer Payments links the following plug-in dynamically:
    Iris_sql_util.so
  • The plug-in itself might also link other libraries. The list of dynamically linked libraries for the plug-in can be obtained by running the following command from shell:
    ldd iris_sql_util.so
  • In addition, IBM Safer Payments can link IBM MQ client libraries (libmqic.so) and a custom parser implementation (sp_custom_parser.so) at run time, if the shared libraries are deployed on the shared library search path of IBM Safer Payments. Both are not required to run IBM Safer Payments. They are developed and released by independent development teams. Therefore, they are not covered by the PA-DSS certification of IBM Safer Payments.

To comply with this requirement, certain IP communication must be encrypted, and several operating system configuration settings must be made. This is addressed in detail in sections Installation overview and Operational configuration.

To comply with this requirement, you must not use SSD type hard disks, as secure deletion cannot be assured with this technology.

Requirement 8.3

The payment application must not require use of services or protocols that preclude the use of or interfere with normal operation of multi-factor authentication technologies for securing remote access to the payment application that originates from outside the customer environment.

IBM Safer Payments does not interfere with such technologies.