Protecting sensitive personal data is mandated by a host of laws and standards. But what's the best method? There's the rub.
Of Social Security numbers (SSNs), credit card numbers, health records, and financial information, which is the most sensitive data? The good news is that there's no wrong answer. They're all "the most sensitive," depending on context and your line of business. The bad news is that protecting any of these types of information is both required and potentially expensive whether you succeed or fail to keep them secret—the latter of course being far worse.
The problem is that you can't just lock this data away in a vault like a bar of gold and be done with it. Doing business today requires transmission of these types of data, and a lot of other sensitive information, over networks, phone lines, airwaves, and the Internet. And those transmission methods have unknown hosts of data thieves looking to siphon off that data faster than a broke biker with a rubber hose in Sturgis.
What's the answer? Unfortunately, "it depends."
Church vs. State
The two most standard methods for protecting such data in transit are encryption and tokenization. End-to-end encryption is a well-known method: It's the wholesale translation of data into a form that's unreadable without a decryption key. The encrypted data is safe to transmit and can be read only by someone with the decryption key. Of course, this method requires administration and coordination of key use, necessitates some choice between which standards to use, and isn't entirely foolproof. While the encryption algorithms and the standards they're based on are ironclad so far, the point of weakness is the keys. If an unauthorized someone guesses, bribes, steals, or otherwise purloins their way to getting a key, all your data protected by that key is vulnerable. For most applications, though, encryption is the most common safeguard.
Tokenization technology is newer, having been introduced in 2005. It's primarily used for protecting credit card information. This method substitutes meaningless characters or symbols, called tokens, for actual numbers and transmits the tokens instead. This is preferred by most vendors dealing with credit card transactions because the process is easier to manage and it's less difficult to satisfy auditing requirements of the Payment Card Industry Data Security Standard (PCI-DSS), for which large vendors have to endure audits regularly. Not to mention the fact that just obfuscating a few numbers in transit is much simpler for IT systems to cope with than encrypting every transmitted bit.
For a more detailed assessment of encryption and tokenization technologies, see Gary Palgon's MC Press Online article, "Tokenization and Encryption: Technologies to Limit Your Risk." For a summary of the benefits of using tokenization to minimize the impact of audits, see the MC Press Online article, "Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data."
It would be nice if it was just as simple as saying you can use tokenization for credit-card transactions and encryption for everything else, but of course it isn't. Wouldn't you know, there are issues.
To begin with, tokenization isn't specifically recommended by any of the state or federal privacy laws, nor is it even mentioned by the PCI-DSS. But neither is it forbidden, so it's the old story of going ahead with something without asking permission and hoping for forgiveness if there's a problem later. So far so good until someone such as the PCI or your state or federal government decides it was the wrong way to go. And of course, that might never happen. Maybe.
In mid-August, the PCI issued an advisory paper on tokenization that says it's okay to use tokenization for payment card transactions for now. Significantly though, even the press release announcing the paper contains passages such as, "The Council will continue to evaluate tokenization and other technologies to determine the need for further guidance and/or requirements," and points out that the paper is not "an endorsement of one technology over the other," hardly an unqualified recommendation.
Context Is King
Another problem is that deciding which method is more secure depends on context. Tokenization uses in-house tokenizing platforms that are integrated with back-end accounting apps. The credit-card numbers are not stored by the transmitting computer (unless you're using the database server to do the transmitting) nor are they actually transmitted. It's the tokens that are going over the Internet, so even if they are intercepted, they can't be read because they're not the actual numbers. Doesn't that sound safer than encryption, which does let an interloper read the data if they have the key or can somehow crack the encryption algorithm?
Yet another problem is that while tokenization works well for short strings of numbers like SSNs or driver's license numbers, or numbers companies make up to digitize data on their business partners, what about more complex information? Let's take for example health records, which the federal Health Insurance Portability and Accountability Act (HIPAA) require to be kept confidential. A patient's identifying numbers could be tokenized, but what about diagnoses, treatment data, medications, and other details?
Encryption may be the only answer in some circumstances. It's certainly more flexible; you can also use it to secure your backups, and you don't need to be particularly concerned with what data types you're encrypting. But even if you're satisfied that you can administer and keep secure your encryption keys, there's no getting around the fact that encryption is more expensive than tokenization. The software will be more expensive, the processing overhead is greater, and the security and auditing requirements are more intricate to meet.
Either way, the bottom line is that in deciding what data security to use, the kind of business you're in and the types of data you have to protect trump technology in a decision that's fundamentally between two technologies.
This article divides products surveyed into three groups: Encryption and tokenization software and services available on Power Systems machines using the IBM i OS, payment-card validation systems that use IBM i OS, and products of either type that run under AIX.
And as always when looking for products or services, be sure to check the MC Press Online Buyer's Guide.
Encryption and Tokenization Products for IBM i
Applied Logic Corporation
Pro/Encrypt uses encryption algorithms to protect data for secure backup and storage, file transfer, or physical transport. The function can run interactively or in batch, can use up to 256-bit encryption, can encrypt single files or whole libraries, and uses a symmetric key or pass phrase for decryption.
HiT Software, Inc.
SafeConduct uses SSL data encryption to protect access to sensitive data being transmitted across a VPN or the Internet. It establishes a secure communications channel between two TCP/IP nodes, requires no changes to application code, and provides a Windows-based audit log. SafeConduct requires a Java runtime environment on IBM i and also runs under AIX.
Liaison (formerly NuBridges) Protect supports both encrypted data transfers and tokenization systems. It features centralized key management, user choice between two data-protection methods, complete audit logging, and AIX compatibility.
Liaison Protect TaaS is a tokenization service for enterprises routing sensitive data transmissions through the cloud. The service meets PCI-DSS standards, reduces administrative requirements for users, and maps tokens to credit-card numbers rather than individual transactions. The service supports both IBM i OS and AIX.
Crypto Complete encrypts database fields to protect sensitive information at the source. It provides encryption-key management and auditing features, as well as support for tokenization systems. It also supports the AIX OS.
SecureZIP Server is a compression and encryption utility for exchanging data between Windows desktops, AIX/Linux/UNIX and Windows servers, i5/OS midrange, and z/OS mainframe operating systems. It supports encryption using passphrases and X.509 digital certificates and can process encrypted data without staging it to disk first.
EncryptRIGHT is a cryptographic API that separates programming from the implementation of cryptography and tokenization. Developers can use the API to add these services to custom applications. The API runs under the IBM i OS and AIX.
Alliance AES Encryption is a system of strong encryption for databases, unstructured data, reports, and offline storage held on IBM i, Linux, UNIX, and Windows servers. It includes facilities for managing encryption keys, encrypting backup media and spooled files, masking data, and logging compliance activities.
Alliance Token Manager is a tokenization system designed specifically for IBM i that features masked tokens, eliminates the need to store data in an encrypted format, and meets Visa tokenization best-practices standards.
PGP File Encryption uses the PGP language as a basis for file encryption of IBM i and z systems. The product includes key management features, encryption and decryption automation via library and IFS file-system scans, and encryption activity scheduling.
Payment Card Applications for IBM i
3X Software Ltd.
EFT/400 handles payment card transactions via Internet, telephone sales, mail order, and PIN and onboard chip transactions. It can work with multiple national currencies, multiple companies and acquirers, and any industry sector. It includes 25 APIs and optional vendor custom programming for integration with existing applications. EFT/400 also features built-in checks for the Card Security Code (CSC) and Address Verification Service (AVS), which crosschecks additional information about cards held by their providers. The product runs under OS/400 V4R5 or higher.
BPC Group is a Russian company with an office in Nebraska. Its SmartVista Suite handles any kind of electronic transactions, including payment cards, and uses customer choice of DB2 or Oracle databases. SmartVista is compatible with System i, Linux, and UNIX boxes, as well as IBM WebSphere and Oracle Application Server. The suite offers front-end and back-office applications for handling transactions and provides optional modules for Member Service Provider/Third Party Processor (MSP/TPP) prepaid services, enhanced loyalty scheme support, and retail banking features such as funds transfer.
NovaExpress 400 is an RPG-sourced payment card solution that directly connects to the Elavon acquisition system for global account servicing. Elavon provides end-to-end processing for all payment card, e-commerce, hosted gateway, currency conversion, and electronic check services worldwide.
Curbstone Card is a veteran product started in AS/400 days that lets System i companies use the application's payment processing, card authorization, and automated settlement features. The app offers electronic approvals within three seconds, provides real-time reporting and auditing for up to a thousand transactions a minute, and has additional certifications from selected card providers.
IBM's WebSphere Commerce includes WebSphere Commerce Payments, a component that handles all such transactions. WS Commerce V6, the latest version, offers plug-ins for payment cards, electronic checks, bill-me-later purchasing, COD, and credit-line purchasing. It can process partial payments, lets users set payment rules via eXtensible Markup Language (XML) files, lets customers use multiple payment methods or instructions for purchases, and can process multiple releases of an order.
inFORM Decisions, Inc.
ACH ePayment processes payment-card transactions through Automated Clearing House (ACH) Network, an interbank payment settlement service, by receiving payment card transactions from the user company and routing them to the appropriate banks. It also enables transfers of funds between companies (or tax payments) without using payment cards, automatically debits recurring customer bills, and provides email notification of activities.
JetPayi5 provides a completely native IBM i solution for card processing that's accessible from green-screens, APIs, or Web interfaces. The product's gateway interacts directly with major card providers, offers a back-end reporting system that resides on a dedicated Web site, and automatically handles currency conversions.
Systems Technology Group
Retail Pro is tailored for retail sales only but provides a complete payment card transaction system. Geared to handle operations at multiple retail outlets, it supports multiple currencies and national languages, features an open design for integration with other apps, communicates with other apps via XML, and accesses databases with SQL. Retail Pro also supports POS and store operations, inventory management, receiving, replenishment, employee management, merchandising, and retail planning.
Aimed exclusively at retail operations, tekRETAIL Suite supports the System i and provides complete POS operations functionality in addition to payment card processing. The suite includes a client-based tekRETAIL Store app that offers POS functions under Windows and a tekRETAIL Central Office component that runs on the server. The framework also handles kiosk, catalog, and e-commerce sales.
PAYware Transact uses a Java infrastructure and runs on any platform, including the IBM i. Certified by all major processors, it integrates with a wide range of applications, databases, and POS systems. It can handle checks as well as cards, offers multi-threaded processing and load-balancing features, and supports TCP/IP, TCP/IP SSL, and dialup connectivity.
XKS' iPOSS is a thin-client POS system that uses real-time connection to an IBM i being used as a back-office server. In addition to payment card services, it also supports POS hardware such as cash drawer, thermal receipt printer, bar code scanner, and mouse. It includes software that enables integration with other IBM i applications, supports chip and PIN pads, and completes all transaction checks in five seconds or less.
Encryption and Tokenization Products for AIX
Luna SA is an Ethernet-attached hardware module that provides cryptographic security for sensitive data originating on platforms using AIX and other operating systems. Scalable for cloud environments, Luna SA is capable of up to 6,000 RSA and 400 ECC transactions per second, enables remote administration, and supports certificate signing, code or document signing, and bulk key generation.
Voltage SecureData offers end-to-end encryption, tokenization, and data masking to protect PCI cardholder data and all other sensitive information in a C- and Java-based API. It supports centralized encryption-key management, PCI-DSS and HIPAA standards, and a policy-driven approach to protecting data. SecureData operates on platforms running AIX, Windows, and other operating systems.
as/400, os/400, iseries, system i, i5/os, ibm i, power systems, 6.1, 7.1, V7, V6R1