CFXWorks Enhances Encryption Software, Focuses on Single Card Processor
August 25, 2009 Dan Burger
The payment processing business cannot stand still. With the black cloud of security breaches hanging over every business that accepts credit and debit cards, companies are concerned that increasingly sophisticated attacks on sensitive information puts formerly secure data at risk. It’s an ongoing battle that pushes the Payment Cardholder Industry Data Security Standard (PCI DSS) requirements to frequent updates. The encryption software running on your IBM AS/400 must be certified that it meets the latest standards, too.
In the case of CFXWorks, that led to modifying and rewriting the original code, completing third-party testing that assures PCI-DSS compliance, and re-certifying the software, called NovaXpress 400 Version 16. Product enhancements include support for IBM i OS V6R1, convenience fee support, and the addition of a transport agent to support CFXWorks’ CreditCardXpress integration.
CFXWorks targets organizations that need encryption security to complement their payment card solutions (although NovaXpress 400 can be used to encrypt other sensitive data as well). Its product is Java-based, which allows it to run natively on the AS/400 (data queues are required), but also provides the option of running on an appliance box supporting Windows or Linux. Companies will likely get better performance running NovaXpress 400 on the appliance box unless they have upgraded to i5/OS V6R1 (also known as IBM i), which, along with the new Power Systems hardware, has much improved Java performance.
While the payment card industry is under the gun to tighten security, you’ll find widespread disagreements among merchants and financial firms regarding the use of technology and the cost of services and systems upgrades.
NovaXpress 400 encrypts credit card data using 256-bit AES encryption, but also provides RPG programmers with access to 128-bit encryption and MD5 message digests. The most widely used is 256-bit AES.
For many companies, the bigger issue is working with the card processing company. Everyone has to have a processing company. Among the best known are companies such as Elavon, Vital, PaymentTech, Authorize.Net, and Bank of America’s Virtual Pay. There are many others, as well as numerous third-party service providers that slide in between the card processing company and the end user. CFXWorks has an exclusive arrangement with Elavon, a company formerly called Nova Information Systems and still commonly referred to by that name.
Elavon estimates it serves 850,000 merchants in North America and more than 200,000 in Europe. It also claims to be the top card processor (based on transaction volume) in North America for airlines and the second-place firm in the hospitality industry. It’s the third-largest processor in the United States, according to Alfred Nickles, the CEO and CTO at CFXWorks, and also an ex-IBMer who worked there for 25 years and led the development of MQ Series.
Nickels explained why his product is Elavon-specific.
“I had developed products that supported PaymentTech, Vital, and Virtual Pay, and others. The thing that distinguishes Elavon is that the company caters to the size of business that would typically be using an iSeries,” he says. This is what most of us know as the SMB market. Elavon is easy for the small merchants to do business with. There has been a lot of dissatisfaction in the SMB with the card processors products are too costly, difficult to work with, and support is up to expectations. There is also a lot of concern about dealing with third-party processors. Most of the processors prefer to market through third-party processors, where additional fees get added.
The merchants can go directly to Elavon. (That company does work with third-party vendors, too. Nickels says there are approximately 1,000 Elavon resellers.) Customers can negotiate pricing directly with the card processor.
Nickels has had a close relationship with Elavon for many years. He believes he gets an extra level of support for his company and his company’s customers. There will be certain situations where the third-party vendor provides a necessary service, like a special reporting capability. And some third-party providers will assume a greater degree of risk than the processors. Certain industries are higher risk than others.
Although there are good reasons for third-party vendors to be in the card payment processing business, Nickels is not a big fan. “About three-quarters of my customers are people who are ticked off at a third-party vendor,” he says. “I tell people to negotiate your own fees with the card processors and compare that to what the third-party vendors are telling you.”
The important thing to the merchant is that the software is certified from the processor and that it is PCI-DSS compliant. The more card processing companies that a given software company works with, the more certifications that are necessary. Choosing one processing company, like CFXWorks as done, reduces the number of hoops CFXWorks has to jump through.
You can buy NovaXpress 400 directly from CFXWorks.
Pricing, Nickels says, is “under $200 when it runs on a Windows or Linux box and under $500 when running on an AS/400 (iSeries, System i). That’s a flat fee on the software. The support is under $1000 per year on the Windows or Linux servers and under $2000 per year on the AS/400. More product information can be found at www.cfxworks.com.