HP educates on virtual servers today
Will PCI standards kick 3000s out of service?

New PCI utility adds 3000 compliance tools

HP 3000 software doesn't get much updating these days. I don't mean applications running business on 3000s. Those have to be enhanced and upgraded regularly. But 3000-based off the shelf apps, or vendor utilities, haven't seen much new code since 2005 or even earlier. The exceptions to that situation are starting to work together.

Last week the community got notice of a new feature for IDent/3000, a PCI compliance utility written, sold and supported by Paul Taffel. He's developed numerous solutions for 3000s over the past two decades. At one time he was developing for Orbit Software, and most recently he's been in the development team at Quest Software.

Taffel's IDent/3000 added the ability to detect file changes by means of "of a cryptographically-secure state-of-the-art checksum algorithm, Whirlpool. Whirlpool creates a 512-bit message digest for each monitored file; IDent stores these signatures, and uses them to detect new, changed, and deleted files."

3000 sites in the e-commerce community have deployed IDent over the past year. Taffel is looking for more traction for a tool that appears to have many unique security features. He says he created IDent when Adager's CEO Rene Woc put him in touch "with a couple of Ecometry sites who realized that there was no way to meet PCI requirements with existing MPE features. These sites fed me with requirements, and I came up with a collection of solutions to take care of each requirement."

His current duties extend the security of a 3000 server which processes many late-night purchases from Americans watching television.

Taffel developed IDent/3000, then landed a job at Mouton Logistics Management, which runs its own customized e-commerce app. Mouton is a processing clearinghouse for many vendors who sell through infomercials. In a weak economy, Taffel says, infomercials are doing strong business.

The Ecometry sites working with IDent want to remain on their HP 3000s. Taffel counted on advice from IT managers at Ecometry customer sites. Ecometry has reported at its latest user group conference that 75 sites that haven't scheduled any migration away from the 3000. Other companies have home-grown e-commerce solutions on a 3000.

"The company makes a lot of use of their 3000s, and needs to become PCI-compliant, too," he says. "IDent covers all parts of the PCI spec with the exception of credit card number encryption (because Ecometry already provide that option). I am also working on credit card encryption for Moulton, but that is not included in IDent."

Taffel outlined the features that IDent offers to companies that need to meet new PCI standards in 2010:

- user keystroke logging (log file timestamps all user input, and includes the current prompt).

- TurboIMAGE rule-based access control.

- Logging read/write access to datasets/files containing critical data (e.g. credit card numbers)

- log files can be automatically FTP’d to remote systems for extra security.

- cryptographically-secure checksums used to detect changes to operating system files.

- ability to protect filesets from tampering. In most cases this means log files. IDent can stop anyone (including SM users) from removing log files using any means.

This last feature, protecting log files, is essential for PCI. Taffel says that it's "key that if you have a breach, which parts of the database have been compromised? You must be auditing the access to know the extent of the compromise." If a hacker gets into data and then erases the log files on the way out, encryption alone isn't going to repair the problem, or satisfy PCI auditors.

Even the Whirlpool algorithm can't secure a system if implemented incompletely. "My main problem with encryption is with its real-world use," Taffel says. "There are a lot of front doors getting bolts added while back doors remain open."

Security software is never a favorite investment for computer owners. "No one invests in security software unless they have to," Taffel says. "Most small companies can self-certify that they’re PCI compliant, but the bigger ones have to use external auditors, so they’re the motivated ones."

PCI is posing plenty of puzzles for IT directors. "The PCI requirements are not 100 clear," Taffel says. "Everyone who reads them comes away with a different understanding of what they require. Hence, IDent is highly configurable, basically a collection of tools that can be configured as each site sees fit."