System iNetwork

June 2009

June 15, 2009 6:35 PM

Profound Logic Seeks Beta Testers for New Enterprise Portal for IBM i Apps

Profound Logic Software is finalizing a new enterprise portal product for IBM i and offering a beta program to get feedback on it. The portal, called Atrium, focuses on securely tying multiple applications together into one browser interface.

Atrium lets businesses eliminate green-screen menus that require users to drill down through various levels of options to access particular applications. It offers a tabbed layout that lets users launch multiple applications simultaneously without having to start a new session or back out of applications. Administrators can tailor the layouts for individual users or groups. Atrium provides integration of Profound Logic's modernization suite components (RPGsp Web applications, Genie enhanced screens, and iData database views) into one location with a single sign on. Users also can integrate third-party applications, websites, and data located on the i or other platforms.

"Atrium was based on the business needs and requests of our clients. We worked with several customers, who demonstrated a need to redesign the way their end users navigate between application screens," says David Russo, the Atrium product development team lead for Profound Logic. "It was also important to our clients that they had more control over user access to the individual applications once they were running on the web."

Atrium is scheduled to be released in late September, but Profound Logic is looking for businesses to help beta test the portal. Beta program information is available online. Fill out the beta request form.

--Rita-Lyn Sanders, Senior Industry Editor

Posted by rsanders on June 15, 2009 at 6:35 PM | Comments (0)

June 2, 2009 9:27 AM

Credit Card Tokenization: Put All Your Data Eggs in One Basket—and Watch That Basket

I was on a call recently with Gartner, Inc., analyst John Pescatore to learn about credit card tokenization. Pescatore, who specializes in Payment Card Industry Data Security Standard (PCI DSS), encryption related to PCI DSS, and overall security of Internet systems for Gartner, explained that tokenization can reduce a company's odds of a data breach as well as reduce the cost and complexity of PCI DSS compliance and auditing. A couple of other Penton Media editors, including System iNEWS technical editor Mel Beckman, were also on the call, and I present our questions and Pescatore's answers here for your edification. [Editor's note: nuBridges Inc., a software company that recently released a tokenization product, arranged our discussion with Pescatore but did not attend the call or have any control over what was discussed.]

Pescatore: The basic issue we've seen from enterprises is that the PCI mandate says that certain types of data have to be masked or encrypted. However, encryption does carry costs and complexity, plus the real issue is that what businesses really need to do is minimize the number of places where they store the credit card data—because in order to encrypt card data, you need encryption keys. If you're storing this data in more places than you need, the odds get higher that your keys will get compromised. So in the past couple of years, we've seen a lot of movement away from blind encrypting.

Here's an example: A lot of pretty big companies don't have credit card payment as a big part of their business, but they have the PCI security requirement even for the small amount of payment processing they do. And they thought encrypting and other PCI security requirements were too complicated, so they outsourced the payment processing so they'd never store the card data, just a token. These companies could get full access to the transaction data, but the outsourced payment processor sends it to them without the card data. This idea of tokenization and masking started with these outsourcers. nuBridges is one of the first to work tokenization into a key management product. Now enterprises who either can't or don't want to outsource payment processing can do it themselves with tokenization. However, outsourced payment processors do have to get certified as PCI compliant.

Taking this approach, companies can keep their sensitive data in one database and use tokenization for other applications that need to look up credit card related data, thereby reducing the odds of a data breach. What's more important to most enterprises, however, is that now all those servers on which they used to store the sensitive data are no longer part of the PCI audit, because the only systems in the scope of the PCI audit are the systems that store and process the sensitive data. So what tokenization really does is limit the scope of the PCI audit, which reduces the cost of the audit and the cost of dealing with the audit.

Penton editor: Why don't companies just use the transaction ID instead of a token?

Pescatore: The basic goal is to replace the card data with something that's not the card data. But whatever you're using, you have to have a randomization process, and transaction numbers aren't truly random. Also, so many people's databases have been built to use what looks like a card number, and the transaction number isn't in that format. Well-designed tokenization approaches deal with both of those issues.

Penton editor: Is there no problem with collisions?

Pescatore: Part of the issue around doing this securely is first off a token can't be easily translated into the card data. The second thing is that issue of collision, since there are only so many digits to play with. Any tokenization approach needs to be designed and implemented to be secure and to include techniques that assure collisions are avoided.

Penton editor: Why don't credit card companies do tokenization themselves? They could give you the token.

Pescatore: Several years ago, MasterCard came up with the idea of one-time credit card numbers, while Visa proposed an approach called "Secure Electronic Transactions." It turned out that what that would mean is that every merchant would have to update the software they use. But Visa and MasterCard were doing it two different ways, so it sort of died on the vine.

Merchants said, why don't the credit card companies store the data? We don't want to store it. The idea of tokenization has been around for a long time, but it's just that now that we've gone through PCI, there's a critical mass of merchants who have gotten compliant the hard way (encryption), and now they want to make it less complicated and reduce the cost. It's starting to reach the critical mass of (a) it's a good idea and (b) it can make things cheaper. Since encryption is now required, tokenization is seen as less expensive.

Penton editor: Can tokenization protect other data, such as Social Security numbers, medical data, and financial information?

Pescatore: What it really gets down to is that there's some public ID and some sensitive value, and what you want to do is break the association between the public ID and the sensitive information. So tokenization or encryption are definitely technologies that, on any of these privacy issues, can be used to break that association. The benefit of tokenization is that it reduces the complexity of handling the keys of encryption. But tokenization done badly can be a very bad sense of security if the token provided allows the attacker to figure out the information, or if it's done in a manner that breaks the legacy application.

Here's one key issue: We have standards for encryptions (FIPS 140-2). Tokenization--no standards for that yet. The tokenization vendors have to pay an outside security firm to test their solution. Probably the PCI will come out with guidelines for tokenization in the next year or so, so that there will be some way to certify tokenization.

The question most companies looking at tokenization ask themselves is, is it easy to get it going without breaking my legacy applications? Their due-diligence level is that the vendor had the solution tested by a reputable third party.

Penton editor: Does Gartner have a checklist it gives its clients to tell them what to look for in their tokenization solution?

Pescatore: Not directly aimed at tokenization yet, no. There aren't enough products out there yet. Most of the questions we've been getting from Gartner clients about this have been around those outsourced payment services. As late as 2008, we were getting no questions about tokenization products, because there really weren't any such products. All the questions were around what Gartner thought about outsourcing payment processing and what Gartner thought of tokenization, which some vendors were offering.

I always tell clients that tokenization does not eliminate the need for encrypting the card data. You'll still do that in the one trusted central database that you keep secure. But it comes down to, "Put all your eggs in one basket and really watch that basket." You'll still have to do encryption right and tokenization right. Tokenization promises to get things to a higher level of security and reduce the cost of getting there.

—Linda Harty, executive editor & availability/security/networking/connectivity editor

Posted by lharty on June 2, 2009 at 9:27 AM | Comments (1)