2009 edition of Meet shares practices
Snapshots form pictures for 3000 repositories

Minisoft joins PCI compliance team

Penalties for unsecured commerce via credit cards run up to a half million dollars for companies using the HP 3000, Unix and other environments. The card industry's new PCI standards were supposed to leave the HP 3000 unprepared for the July, 2010 deadline to comply. But a few vendors have stepped in to add security that could satisfy PCI auditors.

And in a best-of-both-worlds development, the newest entry for PCI compliance tools runs with both the IMAGE and the Eloquence databases -- so 3000 users en route to migration can have encrypted connections now, and later.

Minisoft announced its database connectivity tools have been updated to include security that can help in PCI compliance. Starting today the company's ODBC, JDBC and OLE database middleware drivers incorporate the SSLv3 and TLSv1 encryption technology to secure connections. Minisoft says that its new options for the middleware "allow a user to specify the PCI-compliant levels along with the type of encryption (Change Chiper Spec Protocol) required by an organization's auditor or compliance officer."

In matters of PCI compliance -- important at the e-commerce companies where the 3000 was once strong in number -- those auditors determine what will escape the credit card penalties.

Visa and Mastercard set up the PCI security measures, and the card companies are requiring every merchant and processor to comply with thorough practices which include encryption capability. The HP 3000 was never adept at encrypting data, in large part because the system was secured by its unique OS architecture. Viruses, malware and hacks are not part of the 3000's pedigree.

But encryption is essential to passing a PCI audit, so the Minisoft products adopt three of the better-known modules for protecting data in transit. The vendor calls its software "compliant with the PCI Data Security Standard." The DSS is widely accepted as a crucial part of a total PCI compliance plan.

Earlier in 2009 the HP 3000 got another member of the encryption team to become PCI compliant. IDent/3000, a PCI compliance utility written, sold and supported by Paul Taffel, added features to keep some Ecometry sites in the running to gain PCI compliance.

Taffel created IDent when Adager's CEO Rene Woc put him in touch "with a couple of Ecometry sites who realized that there was no way to meet PCI requirements with existing MPE features. These sites fed me with requirements, and I came up with a collection of solutions to take care of each requirement."

Now Minisoft offers its PCI solution, an element that might be viewed as an essential tool in a box which IT managers will need to fill to satisfy certified PCI auditors. Minisoft's tool has a substantial added value. Its middleware operates with Eloquence, the database most like IMAGE. So when 3000 sites complete their migrations -- using lift and shift methodology for minimum risk -- the same middleware suite is waiting on the Unix, Windows or Linux target platform. It even supports the Mac.

One important point to remember is that PCI is a standard which can be interpreted in more than one way. A subjective appraisal from an auditor leads to certification. As Taffel said in our summertime story:

Most small companies can self-certify that they’re PCI compliant, but the bigger ones have to use external auditors, so they’re the motivated ones. The PCI requirements are not 100 percent clear. Everyone who reads them comes away with a different understanding of what they require.

The Minisoft ODBC, JDBC, and OLE DB middleware drivers support MPE's IMAGE, Eloquence 8.0, Windows 7.0, and Windows 64-bit SQL Enterprise Server. The drivers run on HP-UX, MPE, Windows, Linux, Solaris, AIX, and Macintosh operating systems. The PCI capabilities are available in an upgraded version for existing Minisoft customers.

Comments