nuBridges Tackles PCI Security Mandate with New OS/400 Offering

by Alex Woodie

nuBridges rolled out a new iSeries software and services offering last week designed to help companies that handle credit card data meet the impending deadline for complying with the Payment Card Industry (PCI) Data Security Standard mandate. nuBridges truExchange PCI Secure enables OS/400 shops to implement encryption within their DB2/400 fields and Internet transport mechanisms, and is designed to prevent the theft of credit card information.

If you've never heard of the credit card industry's PCI Data Security Standard or Visa's Cardholder Information Security Program (CISP) that it's modeled after, you're not alone. With so many other compliance mandates, such as Sarbanes-Oxley, HIPAA, and even the California Privacy Act, clamoring for attention from IT professionals these days, the attempts by the credit card industry to put a cap on fraud largely have been lost in the crowd.

But people are starting to take notice. Visa has set a June 30 deadline for compliance with its CISP mandate, which sets standards for the handling of credit card data and the overall security of computer systems, and it plans to penalize companies up to $500,000 per incident after that, and may even kick companies out of its network. The industry's plans have been bolstered by several highly visible breaches of consumer data since January, including the theft of credit card information from 5 million consumers.

With 30 days to go before Visa's deadline, the phone has been ringing off the hook at nuBridges for help with the PCI Data Security Standard. "That $500,000 speaks pretty loud," says Gary Palgon, nuBridges director of product management. "Whereas the government doesn't typically come down and say 'Here's the mandate, the exact date, and the amount you pay if you don't comply,' when it comes to the corporate level, there's not much room for error or subjective-ness."

nuBridges also is being specific in how it can help OS/400 shops comply with the PCI Data Security Standard and Visa's CISP. Last week the Atlanta-based company launched nuBridges truExchange PCI Secure, a collection of five components--including PCI Encryption, PCI Secure Transaction Manager, PCI Audit, PCI Storage, and PCI Conversion--which span previously available products, and some new functionality.

The Encryption component enables companies to do on-the-fly, field- and file-level encryption and decryption of DB2/400 data, using 3DES and AES 256 algorithms, and either passwords or PKI certificates for authentication. (Credit card numbers must be encrypted at all times under the PCI Data Security Standard.) The Secure Transaction Manager brings SSL encryption to data sent over FTP, and also lets users navigate through firewalls and proxies, while PCI Audit logs all activity related to the access of credit card data, and ensures that any sensitive data contained in those logs is also encrypted. PCI Storage is used to secure backups, and provides field-level encryption for data that hasn't already been encrypted.

Some of the new functionality resides in the last component, called PCI Conversion. An adaptation of a tool used in Y2K remediation projects, PCI Conversion enables OS/400 shops to implement field-level encryption, without making changes to the database. The tool has been adapted to enable companies to encrypt and decrypt 16-digit credit card numbers on the fly, and to do so without changing predefined file layouts.

The capability to provide encryption on certain database fields, without making any changes to the database, is very important to customers, Palgon says. "For example, one company with hundreds and hundreds of stores, to make a database change, it has to go through the CIO. It's huge, and there's no way they can get that massive of a change done by June 30," he says.

Do-it-yourselfers can utilize OS/400 APIs to implement encryption into their DB2/400 data stores, Palgon says, "but you still have to become an encryption guru to use it. IBM includes base functionality, but not at a business level," he says.

nuBridges, which obtained its OS/400 expertise with its acquisition of TrailBlazer Systems last year, is targeting the iSeries with truExchange PCI Secure. "Our reputation and experience as security and encryption experts for the IBM eServer iSeries platform enabled us to offer a comprehensive solution to the CISP mandate from Visa," says Rich Brown, vice president of sales at nuBridges.

In addition to encryption for DB2/400, secure FTP, and logging capabilities, nuBridges truExchange PCI Secure offering also includes professional services to help companies bring other aspects of their IT systems into compliance. For example, there are many companies still using POS systems based on OS/2 and DOS operating systems, Palgon says.

All in all, truExchange PCI Secure addresses about 25 specific PCI Data Security Standard mandates, according to a nuBridges data sheet. Companies can gauge how close they are to complying with the mandate using this PCI self-assessment questionnaire (in PDF format).

Compliance with the PCI Data Security Standard is a pass-fail prospect, and companies that are certified must satisfy all requirements. Companies processing six million transactions per year or more must undergo a "PCI scan" by an authorized PCI scan provider before they are considered compliant. By June 30, all companies are required to be compliant, although only those processing more than 20,000 transactions per year are required to prove it by submitting documentation to merchant banks, which face penalties if they don't check.