02
Sat, Nov
2 New Articles

Technology Focus: Encryption and Tokenization

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Protecting sensitive personal data is mandated by a host of laws and standards. But what's the best method? There's the rub.

 

Of Social Security numbers (SSNs), credit card numbers, health records, and financial information, which is the most sensitive data? The good news is that there's no wrong answer. They're all "the most sensitive," depending on context and your line of business. The bad news is that protecting any of these types of information is both required and potentially expensive whether you succeed or fail to keep them secret—the latter of course being far worse.

 

The problem is that you can't just lock this data away in a vault like a bar of gold and be done with it. Doing business today requires transmission of these types of data, and a lot of other sensitive information, over networks, phone lines, airwaves, and the Internet. And those transmission methods have unknown hosts of data thieves looking to siphon off that data faster than a broke biker with a rubber hose in Sturgis.

 

What's the answer? Unfortunately, "it depends."

Church vs. State

The two most standard methods for protecting such data in transit are encryption and tokenization. End-to-end encryption is a well-known method: It's the wholesale translation of data into a form that's unreadable without a decryption key. The encrypted data is safe to transmit and can be read only by someone with the decryption key. Of course, this method requires administration and coordination of key use, necessitates some choice between which standards to use, and isn't entirely foolproof. While the encryption algorithms and the standards they're based on are ironclad so far, the point of weakness is the keys. If an unauthorized someone guesses, bribes, steals, or otherwise purloins their way to getting a key, all your data protected by that key is vulnerable. For most applications, though, encryption is the most common safeguard.

 

Tokenization technology is newer, having been introduced in 2005. It's primarily used for protecting credit card information. This method substitutes meaningless characters or symbols, called tokens, for actual numbers and transmits the tokens instead. This is preferred by most vendors dealing with credit card transactions because the process is easier to manage and it's less difficult to satisfy auditing requirements of the Payment Card Industry Data Security Standard (PCI-DSS), for which large vendors have to endure audits regularly. Not to mention the fact that just obfuscating a few numbers in transit is much simpler for IT systems to cope with than encrypting every transmitted bit.

 

For a more detailed assessment of encryption and tokenization technologies, see Gary Palgon's MC Press Online article, "Tokenization and Encryption: Technologies to Limit Your Risk." For a summary of the benefits of using tokenization to minimize the impact of audits, see the MC Press Online article, "Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data."

 

It would be nice if it was just as simple as saying you can use tokenization for credit-card transactions and encryption for everything else, but of course it isn't. Wouldn't you know, there are issues.

 

To begin with, tokenization isn't specifically recommended by any of the state or federal privacy laws, nor is it even mentioned by the PCI-DSS. But neither is it forbidden, so it's the old story of going ahead with something without asking permission and hoping for forgiveness if there's a problem later. So far so good until someone such as the PCI or your state or federal government decides it was the wrong way to go. And of course, that might never happen. Maybe.

 

In mid-August, the PCI issued an advisory paper on tokenization that says it's okay to use tokenization for payment card transactions for now. Significantly though, even the press release announcing the paper contains passages such as, "The Council will continue to evaluate tokenization and other technologies to determine the need for further guidance and/or requirements," and points out that the paper is not "an endorsement of one technology over the other," hardly an unqualified recommendation.

Context Is King

Another problem is that deciding which method is more secure depends on context. Tokenization uses in-house tokenizing platforms that are integrated with back-end accounting apps. The credit-card numbers are not stored by the transmitting computer (unless you're using the database server to do the transmitting) nor are they actually transmitted. It's the tokens that are going over the Internet, so even if they are intercepted, they can't be read because they're not the actual numbers. Doesn't that sound safer than encryption, which does let an interloper read the data if they have the key or can somehow crack the encryption algorithm?

 

Yet another problem is that while tokenization works well for short strings of numbers like SSNs or driver's license numbers, or numbers companies make up to digitize data on their business partners, what about more complex information? Let's take for example health records, which the federal Health Insurance Portability and Accountability Act (HIPAA) require to be kept confidential. A patient's identifying numbers could be tokenized, but what about diagnoses, treatment data, medications, and other details?

 

Encryption may be the only answer in some circumstances. It's certainly more flexible; you can also use it to secure your backups, and you don't need to be particularly concerned with what data types you're encrypting. But even if you're satisfied that you can administer and keep secure your encryption keys, there's no getting around the fact that encryption is more expensive than tokenization. The software will be more expensive, the processing overhead is greater, and the security and auditing requirements are more intricate to meet.

 

Either way, the bottom line is that in deciding what data security to use, the kind of business you're in and the types of data you have to protect trump technology in a decision that's fundamentally between two technologies.

 

This article divides products surveyed into three groups: Encryption and tokenization software and services available on Power Systems machines using the IBM i OS, payment-card validation systems that use IBM i OS, and products of either type that run under AIX.

 

And as always when looking for products or services, be sure to check the MC Press Online Buyer's Guide.

Encryption and Tokenization Products for IBM i

Applied Logic Corporation

Pro/Encrypt

Pro/Encrypt uses encryption algorithms to protect data for secure backup and storage, file transfer, or physical transport. The function can run interactively or in batch, can use up to 256-bit encryption, can encrypt single files or whole libraries, and uses a symmetric key or pass phrase for decryption.

 

HiT Software, Inc.

SafeConduct

SafeConduct uses SSL data encryption to protect access to sensitive data being transmitted across a VPN or the Internet. It establishes a secure communications channel between two TCP/IP nodes, requires no changes to application code, and provides a Windows-based audit log. SafeConduct requires a Java runtime environment on IBM i and also runs under AIX.

 

Liaison Technologies

Liaison Protect

Liaison (formerly NuBridges) Protect supports both encrypted data transfers and tokenization systems. It features centralized key management, user choice between two data-protection methods, complete audit logging, and AIX compatibility.

 

Liaison Protect TaaS

Liaison Protect TaaS is a tokenization service for enterprises routing sensitive data transmissions through the cloud. The service meets PCI-DSS standards, reduces administrative requirements for users, and maps tokens to credit-card numbers rather than individual transactions. The service supports both IBM i OS and AIX.

 

Linoma Software

Crypto Complete

Crypto Complete encrypts database fields to protect sensitive information at the source. It provides encryption-key management and auditing features, as well as support for tokenization systems. It also supports the AIX OS.

 

PKWARE

SecureZIP Server

SecureZIP Server is a compression and encryption utility for exchanging data between Windows desktops, AIX/Linux/UNIX and Windows servers, i5/OS midrange, and z/OS mainframe operating systems. It supports encryption using passphrases and X.509 digital certificates and can process encrypted data without staging it to disk first.

 

Prime Factors

EncryptRIGHT

EncryptRIGHT is a cryptographic API that separates programming from the implementation of cryptography and tokenization. Developers can use the API to add these services to custom applications. The API runs under the IBM i OS and AIX.

 

Townsend Security

Alliance AES Encryption

Alliance AES Encryption is a system of strong encryption for databases, unstructured data, reports, and offline storage held on IBM i, Linux, UNIX, and Windows servers. It includes facilities for managing encryption keys, encrypting backup media and spooled files, masking data, and logging compliance activities.

 

Alliance Token Manager

Alliance Token Manager is a tokenization system designed specifically for IBM i that features masked tokens, eliminates the need to store data in an encrypted format, and meets Visa tokenization best-practices standards.

 

PGP File Encryption

PGP File Encryption uses the PGP language as a basis for file encryption of IBM i and z systems. The product includes key management features, encryption and decryption automation via library and IFS file-system scans, and encryption activity scheduling.

Payment Card Applications for IBM i

3X Software Ltd.

EFT/400

EFT/400 handles payment card transactions via Internet, telephone sales, mail order, and PIN and onboard chip transactions. It can work with multiple national currencies, multiple companies and acquirers, and any industry sector. It includes 25 APIs and optional vendor custom programming for integration with existing applications. EFT/400 also features built-in checks for the Card Security Code (CSC) and Address Verification Service (AVS), which crosschecks additional information about cards held by their providers. The product runs under OS/400 V4R5 or higher.

 

BPC Group

SmartVista Suite

BPC Group is a Russian company with an office in Nebraska. Its SmartVista Suite handles any kind of electronic transactions, including payment cards, and uses customer choice of DB2 or Oracle databases. SmartVista is compatible with System i, Linux, and UNIX boxes, as well as IBM WebSphere and Oracle Application Server. The suite offers front-end and back-office applications for handling transactions and provides optional modules for Member Service Provider/Third Party Processor (MSP/TPP) prepaid services, enhanced loyalty scheme support, and retail banking features such as funds transfer.

 

CFXWorks, Inc.

NovaExpress 400

NovaExpress 400 is an RPG-sourced payment card solution that directly connects to the Elavon acquisition system for global account servicing. Elavon provides end-to-end processing for all payment card, e-commerce, hosted gateway, currency conversion, and electronic check services worldwide.

 

Curbstone Corporation

Curbstone Card

Curbstone Card is a veteran product started in AS/400 days that lets System i companies use the application's payment processing, card authorization, and automated settlement features. The app offers electronic approvals within three seconds, provides real-time reporting and auditing for up to a thousand transactions a minute, and has additional certifications from selected card providers.

 

IBM Corporation

IBM WebSphere Commerce

IBM's WebSphere Commerce includes WebSphere Commerce Payments, a component that handles all such transactions. WS Commerce V6, the latest version, offers plug-ins for payment cards, electronic checks, bill-me-later purchasing, COD, and credit-line purchasing. It can process partial payments, lets users set payment rules via eXtensible Markup Language (XML) files, lets customers use multiple payment methods or instructions for purchases, and can process multiple releases of an order.

 

inFORM Decisions, Inc.

ACH ePayment

ACH ePayment processes payment-card transactions through Automated Clearing House (ACH) Network, an interbank payment settlement service, by receiving payment card transactions from the user company and routing them to the appropriate banks. It also enables transfers of funds between companies (or tax payments) without using payment cards, automatically debits recurring customer bills, and provides email notification of activities.

 

JetPay LLC

JetPayi5

JetPayi5 provides a completely native IBM i solution for card processing that's accessible from green-screens, APIs, or Web interfaces. The product's gateway interacts directly with major card providers, offers a back-end reporting system that resides on a dedicated Web site, and automatically handles currency conversions.

 

Systems Technology Group

Retail Pro

Retail Pro is tailored for retail sales only but provides a complete payment card transaction system. Geared to handle operations at multiple retail outlets, it supports multiple currencies and national languages, features an open design for integration with other apps, communicates with other apps via XML, and accesses databases with SQL. Retail Pro also supports POS and store operations, inventory management, receiving, replenishment, employee management, merchandising, and retail planning.

 

tekservePOS

tekRETAIL Suite

Aimed exclusively at retail operations, tekRETAIL Suite supports the System i and provides complete POS operations functionality in addition to payment card processing. The suite includes a client-based tekRETAIL Store app that offers POS functions under Windows and a tekRETAIL Central Office component that runs on the server. The framework also handles kiosk, catalog, and e-commerce sales.

 

VeriFone

PAYware Transact

PAYware Transact uses a Java infrastructure and runs on any platform, including the IBM i. Certified by all major processors, it integrates with a wide range of applications, databases, and POS systems. It can handle checks as well as cards, offers multi-threaded processing and load-balancing features, and supports TCP/IP, TCP/IP SSL, and dialup connectivity.

 

XKS Ltd.

iPOSS Integrated Point of Sale

XKS' iPOSS is a thin-client POS system that uses real-time connection to an IBM i being used as a back-office server. In addition to payment card services, it also supports POS hardware such as cash drawer, thermal receipt printer, bar code scanner, and mouse. It includes software that enables integration with other IBM i applications, supports chip and PIN pads, and completes all transaction checks in five seconds or less.

Encryption and Tokenization Products for AIX

SafeNet

Luna SA

Luna SA is an Ethernet-attached hardware module that provides cryptographic security for sensitive data originating on platforms using AIX and other operating systems. Scalable for cloud environments, Luna SA is capable of up to 6,000 RSA and 400 ECC transactions per second, enables remote administration, and supports certificate signing, code or document signing, and bulk key generation.

 

Voltage Security

Voltage SecureData

Voltage SecureData offers end-to-end encryption, tokenization, and data masking to protect PCI cardholder data and all other sensitive information in a C- and Java-based API. It supports centralized encryption-key management, PCI-DSS and HIPAA standards, and a policy-driven approach to protecting data. SecureData operates on platforms running AIX, Windows, and other operating systems.

as/400, os/400, iseries, system i, i5/os, ibm i, power systems, 6.1, 7.1, V7, V6R1 

John Ghrist

John Ghrist has been a journalist, programmer, and systems manager in the computer industry since 1982. He has covered the market for IBM i servers and their predecessor platforms for more than a quarter century and has attended more than 25 COMMON conferences. A former editor-in-chief with Defense Computing and a senior editor with SystemiNEWS, John has written and edited hundreds of articles and blogs for more than a dozen print and electronic publications. You can reach him at This email address is being protected from spambots. You need JavaScript enabled to view it..

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: