Archive for October, 2010

What Qualifies a Product as a Managed File Transfer Solution?

Posted by on Tuesday, 26 October, 2010

As more and more companies are seeking a MFT to meet their data transfer needs, the question still arises, what exactly is a Managed File Transfer (MFT)? At a minimum, a Managed File Transfer solution is a product that encompasses all aspects of inbound and outbound file transfers that uses industry proven standards with a central, single point of administration. With a wide variety of products claiming to be a Managed File Transfer solution there are some things you may want to ask yourself (and your vendor).

  • Does the solution use industry standards protocols for secure data transfers?
  • Is the solution centrally administered or are there pc components required for administration?
  • Can I be notified in real time of certain events (e.g. errors) if they occur?
  • How will this solution affect my customers, vendors and trading partners?
  • Can audit reports be generated?
  • What type of security controls does the product have in place to allow separation of duties?
  • Are there additional modules or add-ons that might need to be purchased?
  • If our needs grow beyond our current platform, how does this solution grow with us?

As you research a vendor to handle your Managed File Transfer needs, make sure you choose a vendor that is able to not only meet your current needs, but the needs of the future. Feel free to contact us to discuss your current and future needs as well as answers to the above questions and more.

PCI-DSS 2.0

Posted by on Wednesday, 6 October, 2010

According to a survey of 155 Qualified Security Assessors (QSAs) conducted by the Ponemon Institute, 60 percent of retailers lack the budgets to be fully compliant with the PCI DSS standards. As an example, the annual audit cost for a major retailer can be as high as $225,000.

According to the Ponemon Institute survey, restricting access to card data on a “need-to-know basis” (PCI DSS Requirement #7) is still the most important PCI DSS requirement, but also the most difficult to achieve.

QSAs reported that the three most common business reasons for storing cardholder data are:

  • Handling charge-backs
  • Providing customer service
  • Processing recurring subscriptions

In order to service these customer’s requirements, the credit card data must still be available for the various software applications. These industry processes require merchants to implement methods of protecting cardholders from theft.

Encryption the Best Technology

QSAs find the most significant threats to cardholder data are in merchant networks and databases. They believe firewalls, encryption for data at rest, and encryption for data in motion are the top three most effective technologies for achieving compliance.

Sixty percent of QSAs believe encryption is the best means to protect card data end-to-end. Forty-one percent of QSAs say that controlling access to encryption keys is the most difficult management task their clients face.

Getting a Handle on PCI Issues

So what’s the best way to both satisfy the requirements of PCI and still make secured data transparent to applications?

The strategy QSAs recommend is to lock down the cardholder data with technologies that:

  1. Restrict the access
  2. Encrypt the data
  3. Manage and control the encryption keys

These recommendations point to a need to make encryption and encryption-key access an integral part of the overall information system.

But too many organizations use ad hoc encryption/de-encryption utilities that slow processing, and often leave de-encrypted data in the open. In addition, without any integrated encryption key management process, there is really no security at all.  Unsecured encryption keys, just like data, can be lost, stolen, and misused. Access to those keys should be managed as an integral part of the overall security of the operating system.

The point is that the QSA’s three recommendations go beyond the basic requirements of the PCI standard to actually secure the credit card data at the host – and to ensure that the data isn’t misused when the data is at rest or while being transferred.

Linoma Software’s data encryption suite Crypto Complete successfully addresses these QSA PCI requirements by providing data encryption and key management services that can be integrated seamlessly with IBM i (iSeries) applications.

Building on PCI-DSS V2

Industry security analysts will still complain that PCI-DSS needs to be a real security standard aimed at protecting card holder data, but Version 2.0 doesn’t provide that value.  Consequently, we need to analyze what the QSAs are recommending, and then build on PCI-DSS Version 2.0 to implement the best possible data security for our customers’ credit card data.

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

More Posts - Website

1.800.949.4696  |  sales@linomasoftware.com  |  privacy policy
Copyright ©1994 - 2012 Linoma Software  |  All rights reserved