Bank marketer uses encrypted 3000 security
September 23, 2010
Software from an established supplier to credit card-processing firms is giving HP 3000s security audit features, including one vendor whose clients are banks.
Driven by a July deadline from credit card processors, owners of HP 3000s are turning to a set of tools and solutions to apply encryption security for online e-commerce. FluentEdge Technologies has been offering a two-fisted product set to punch up the transaction security on a server that’s still processing card payments.AES 256-bit encryption is at the heart of the software. FluentEdge has one solution designed for Ecometry e-commerce sites, but another set of tools is at work for a 3000 application programmer to apply to in-house systems. At banking services firm Harland Clarke, A Programmer’s Toolkit lets developers call an encryption routine on their own, if they prefer.
Systems programmer Lance Nickles said the routines FluentEdge developed were easily modified by for his in-house 3000 apps.“They were able to make the routines standalone for us,” he said, “so we could pick and choose what data we wanted to encrypt.” The operation, which serves bank processing, uses 15 databases and 25 different tables which are either partially or wholly encrypted. Harland Clarke was already PCI certified, meeting the standards required by Visa for credit card handling.
The company sends marketing-based printed products with a credit card number printed on it, Nickles explained. “The account number is the way we identify that particular order.”Encryption is notable for being a performance hog, and capturing IMAGE puts and gets presented the prospect for slowing the speed of an application. “We were concerned at first when we wrote it in COBOL,” Looyenga said. “But when we rewrote it all in C, we made the performance implications very negligible.”
Nickles said the encryption hasn’t slowed processing much, as far as he can measure. “There’s a bit of a hit, but it’s not drastic,” he said. An N-Class 4-CPU 3000 drives the processing at Harland Clarke.
FluentEdge initiates the implementation for a customer, a process Looyenga described as "very easy — we just put some XLs into the library and they’re good to go.
"They do their DBGETs, and then they call DECRYPT, and when they call a DBPUT, they call a routine called ENCRYPT,” Looyenga said. This version of the product can be applied to any HP 3000 application where data encryption is needed.
After 10 years of serving Ecometry customers with e-commerce enhancement, Looyenga has seen a good share of the 3000 marketplace concerned with PCI encryption. But non-Ecometry solutions such as the one at Harland Clarke represent even more growth to the company, since encryption software can be implemented in any system that needs security to pass an audit.
A stand-alone version encrypts and decrypts files via batch or command line, all running on the 3000. This Flat File Encryption Program gives the ability to an authorized manager to encrypt or decrypt files on demand. Even archival spoolfiles can be encrypted.
The FluentEdge solution is noteworthy for bypassing Windows, using HP’s C compiler written for the HP 3000, making the software an all-MPE/iX choice. That’s important to the clients using the FluentEdge systems. Nobody wants to send card numbers outside a 3000 once again — having first been gathered through web servers — and exposing more of the infrastructure to audit requirements.
They care about this, Looyenga said, “because if you were to push traffic off the HP 3000 to a Windows box, for example, now they have to secure their network. That Windows box that might be receiving the numbers now also has to be PCI compliant. They’d much rather have it all native on the HP 3000.”