In the Beginning, There Was Tape
HP's migration target gets Oracle green light

New software checks 3000s for PCI2 rules

Allegro Consultants has released the latest in its lineup of HP 3000 software tools. PassPCI2 is software which scans HP 3000s for unencrypted credit card numbers.

Safe_card1But to return to that lead for a moment: This is new software which runs on MPE/iX. That's a item all by itself. The 3000 has become a highly stable environment to use in business computing. But part of that stability flows from the lack of change to the system's ecosystem. We haven't seen a new app in awhile.

Security and audits drive PassPCI2. Allegro's president Steve Cooper said the product grew up from a customer's need to pass audits on a 3000, security inventories which are needed to protect credit card numbers in IMAGE databases.

The latest PCI2 compliance requirements demand that credit card numbers reside in one of two states on a 3000: encrypted, or off the server completely. "There are lots of ways to do encryption on the HP 3000," Cooper says. The new product ensures that everything in every field of every record can be scanned for the 13-to-16-digit signature of a credit card. Encryption is a matter for other tools. Removal of the numbers from the 3000 is a more likely resolution.

After a scan of the 3000, the Allegro software identifies any field that has a string of digits which produce a valid checkmod number, a figure recognized by credit card providers such as Visa. You can look at a specific group, or account, or system-wide, Cooper says, or all KSAM records or all databases.

"We'll go through looking for these strings of digits," Cooper said, "which look like credit card numbers. Then we report our findings at several levels." PassPCI2 gives reports on which fields are discovered. The program searches disk drives for numbers stored in files or databases -- which if found, would put a 3000 in violation of PCI2 compliance.

Credit card compliance rules have been identified as a possible trigger to starting a migration off a 3000. Encryption programs have been devised for MPE/iX, but this is the first product that leads a search to finding these numbers.

The PCI regulations have been both relentless and malleable all at once. Relentless, because auditors cannot pass a system which runs afoul of them. Any computer used in ecommerce or credit card commerce must abide. But PCI is also fuzzy, because the standard defines compliance elements which are not entirely certified. Major consulting firms like the Big Six (or really the Big Four, due to consolidation) promise PCI certifications.

However, these scans for credit cards are relatively new. If there's been no tools for a 3000, at least now there's something to use so a company can "complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV)." Allegro points out that "While there are currently no known ASVs for the HP 3000, Allegro Consultants is in the process of applying for this certification, using our PassPCI2 product."