Encryption tools enhance 3000 security
July 26, 2010
Driven by this month's deadline from credit card processors, owners of HP 3000s can turn to another set of tools and solutions to apply encryption security for online e-commerce. FluentEdge Technologies has been offering a two-fisted product set to punch up the transaction security on a server that's still processing card payments.
The Visa/Mastercard PCI security standard kicked in this month for most companies that accept credit cards in web transactions. Encryption of credit card numbers and user data is a non-negotiable feature to meet auditor requirements. Visa insists on compliance to maintain the ability to process sales. Companies must show a passing audit grade or send transactions to a more secure platform.
FluentEdge co-founder Cliff Looyenga said the encryption takes place while the data is en route to IMAGE. "We intercept the DBPUT or DBUPDATE database calls, after the customers define which datasets and in which positions have credit card numbers. Our software encrypts that portion of the record, and likewise, when we see DBGETs from those datasets, we then go and decrypt. This allows the customer to implement encryption without making any changes to their software at all."
AES 256-bit encryption is at the heart of the software. FluentEdge has one solution designed for the Ecometry e-commerce site, and another set of tools ready for the 3000 application programmer to apply to in-house systems. There's also a stand-alone version, shown above, that encrypts and decrypts files via batch or command line, all running on the 3000. This Flat File Encryption Program gives the ability to an authorized manager to encrypt or decrypt files on demand. Even archival spoolfiles can be encrypted.
Encryption is notable for being a performance hog, and capturing IMAGE puts and gets presented the prospect for dragging down the speed of the application. "We were concerned at first when we wrote it in COBOL," Looyenga said. "But when we rewrote it all in C, we made the performance implications very negligible."
All encryption comes with some kind of speed price to pay. But Visa won't pay merchants without seeing proof of encryption. 18 months ago, some analysts were predicting that the July 2010 PCI deadline would be driving all e-commerce off 3000s, but encryption solutions have been emerging to let stable 3000s continue to transact business over the Web.
The FluentEdge solution is noteworthy for using HP's C compiler written for the HP 3000, making the software an all-MPE/iX choice. That's important to the clients using the FluentEdge systems. Nobody wants to send card numbers outside a 3000 once again -- having first been gathered through web servers -- and exposing more of the infrastructure to audit requirements.
They care about this, Looyenga said, "because if you were to push traffic off the HP 3000 to a Windows box, for example, now they have to secure their network. That Windows box that might be receiving the numbers now also has to be PCI compliant. They'd much rather have it all native on the HP 3000."
A Programmer's Toolkit lets developers call an encryption routine on their own, if they prefer. "They do their DBGETs, and then they call DECRYPT, and when they call a DBPUT, they call a route called ENCRYPT," Looyenga said. This version of the product can be applied to any HP 3000 application where data encryption is needed.
HP3000 CC Encryption uses one of two approaches.
1. Intercept database calls to keep credit card data encrypted in the HP 3000 database without any changes required to the application software. This requires a custom version of the encryption software that has knowledge about your database and where credit card numbers are stored The main features include:
- Transparent to users: No changes on the application screens or reports, except those that use Suprtool)
- Strong encryption using AES 256 technology
- External tools such as Query and Suprtool will only extract encrypted data out of the database.
- A conversion program that will convert all transaction history.
2. The application software can also be modified to call the encryption software directly. This provides the best performance. It does not require a custom version of the encryption software.
FluentEdge does the implementation for the customer, a process Looyenga described as "very easy -- we just put some XLs into the library and they're good to go."
Installing the product is easy in an Ecometry test account, but it's no more complex a demonstration process for the non-Ecometry site. Looyenga gives the customer the code to test out, and says he'll "take their word that if they don't want it they'll delete it off their system." After 10 years of serving the Ecometry customers with e-commerce enhancements, Looyenga has seen a lot of the 3000 marketplace that is concerned with PCI encryption. But the non-Ecometry solutions represent even more growth to the company, since encryption software can be implemented in any system that needs security to pass an audit.