Major Retailer Implements Data Masking After a Security Breach—No Programming Required

by Kris Lall on April 21, 2015

PCI_SB_MaskingGraphic_300x212Data breaches continue to be the hot topic of enterprise conversations these days, but before you switch the dial due to data breach fatigue, please just hear me out.

Recently, a large international retailer suffered an insider breach in which a contract employee stole customer credit card information from an IBM mainframe application simply by copying the data from the screen. That Personally Identifiable Information (PII) ended up on the black market, where it’s now worth quite a bit of money—thanks to the convenience and speed of the Internet.

Due to this breach and an upcoming audit, the retailer is now scrambling to fix the security vulnerability and meet PCI DSS requirements. But the organization doesn’t have the time or resources to build a new application from scratch, nor the in-house COBOL programming expertise to address the attack vector on the host side.

Mainframe Apps Are at Risk Too

Mainframe applications live on host systems like servers, mainframes, and private cloud networks, enabling essential functions across all industries—and helping to power the world economy.  It’s hard to go even 5 minutes without using a mainframe application doing some work for you, whether it’s on the end of your utility company, online retailer, or airline reservation system.

Yet, when it comes to updating critical apps for regulatory compliance, mainframe applications are often an afterthought, overlooked by IT teams in favor of apps that run on old operating systems like Windows XP.

But aren’t these backend apps secure enough simply because they’re on a mainframe?

Well, unfortunately not. If mainframe apps don’t or can’t keep up with the latest security threats, they’re vulnerable too.

Masked Data to the Rescue

As a large international retailer, the company in question must now ensure that their IBM host applications meet four major security requirements for processing customer data:

  1. Provide visual access to credit card data on host screens to approved users, but deny visual access to others.
  2. Be able to process and protect standard and non-standard credit card data.
  3. Prevent access to redacted host data on the Windows Clipboard (so the data can’t be pasted to other Windows applications).
  4. Allow masked data to be copied from host screen to host screen (like IBM Mainframe to AS/400).

Without COBOL programmers on staff, no in-house options exist for making these changes.

Enter Reflection Terminal Emulation

Protecting important data on mainframes IS possible with the right tool—such as the latest release of Attachmate Reflection. Reflection terminal emulation offers patent-pending redaction technology to protect sensitive data on IBM host application screens.

After implementing Reflection, the retailer’s IT staff was able to meet its four security requirements. Let’s take a look at how:

Requirement 1

The retailer was able to leverage Reflection’s new PCI redaction technology tools to mask or display the credit card data depending on who needs to access it. Most call center employees can only see the last four digits of a card number in order to verify customer identity, while some managers are able to see full, non-masked data.

And Reflection does this without affecting workflow, allowing users to securely copy and paste sensitive data if deemed necessary based on user role.

Requirement 2

The retailer processes mostly 16-digit Visa and MasterCard numbers, but also must accommodate non-standard 19-digit numbers from regional banks. Reflection’s intrinsic intelligence on credit card data recognizes the standard is tuned for non-standard card data patterns and is able to hide this data.

Requirements 3 and 4

While the Windows Clipboard is a great tool for sharing data between applications, it can also allow users to capture data for malicious intentions such as stealing customer data. The retailer needed to prevent users from copying credit card data from a host screen and pasting to the Windows Clipboard to be shared with other Windows applications that could expose the data.

Reflection provided this capability, plus met an additional requirement to allow card data to be copied between two IBM host applications within the Reflection workspace without the agent ever being able to view the data.

A Happier Ending

Reflection meets the retailer’s card protection requirements today, and also provides the ability to protect any other type of PII pattern data such as social security numbers, telephone numbers, and mailing addresses. And Reflection even addresses printing security by redacting data when it’s printed by certain users.

In the end, Reflection was able to address each of this large retailer’s security requirements for sensitive data on IBM host screens—and more—helping to prevent a future data breach of its critical host-based business applications.

The icing on the cake is that the retailer accomplished all of this without having to update multiple COBOL applications on the mainframe, saving a significant amount of time, money, and risk.

Previous post:

Next post: