MAINFRAME > TRENDS > SECURITY

Application Integration With PCI

The problematic nature of PCI-compliance application integration makes research, analysis and planning important. It can also greatly simplify and reduce the effort involved.

The problematic nature of PCI-compliance application integration makes research, analysis and planning important. It can also greatly simplify and reduce the effort involved.

One of the most challenging aspects of implementing Payment Card Industry (PCI) compliance is that it’s not a new application; it involves integration into existing applications. This makes it more difficult and problematic because it impacts existing business processes, affecting programs and files that have been in place for many years, created by developers who may no longer be available. Thus, much research, analysis and planning is needed to minimize the impact on a large audience of users.

PCI Compliance Application Integration: Key Activities

  • Identify necessary programmers and end users who can provide input to the PCI compliance analysis.
    • Experience is invaluable, irreplaceable and oftentimes almost nonexistent.
    • Identify or acquire tools to assist in the analysis.
  • Perform an inventory of all applications that process cardholder data (CHD).
    • Identify all files, databases and FTP extracts where credit–card numbers and other CHD reside.
    • Identify all copy books for files or other forms of CHD storage.
    • Identify all programs that process CHD.
    • Review CHD programs to see if they need modification to become PCI compliant.
    • Identify all jobs and ad–hoc queries that use the programs, files and other CHD objects.
    • Identify all reports where credit–card information is displayed.
  • Compile a list of potential techniques for PCI compliance integration.
    • Determine whether to tokenize.
    • Evaluate insertion of cryptographic logic directly into relevant programs.
    • Evaluate subroutine calls.

Staffing the Project

There are two primary staffing types to consider: individuals who perform requirements analysis and system/application design and individuals who perform programming and development. Often there are individuals involved in both parts of the project, and the project leader is invariably involved in every aspect of the project. This project leader may also be the project manager, depending on the project’s size and the skill set of the project leader.

Probably the most difficult part of the project to staff is the application analysis. Programmers or analysts with a detailed knowledge of existing applications are often scarce and usually in high demand. Yet this skill set is of paramount importance to PCI compliance integration, because it usually involves adding new functions into many applications. In addition, cryptographic processing skills may be non–existent at the beginning, and many technical assessments in this area are required. For example, what encryption algorithms are to be used? Should encryption be at the field level, the record level or the file level? Should there be chaining or no chaining? Often an outside contractor can help evaluate cryptographic products and techniques, but skill transfer should be mandatory.

Performing an Application Inventory of CHD Processes

Often the best way to start an application inventory is to determine the files where CHD exists. Files are usually less numerous than programs and are usually represented in programs by standard copy books. Credit–card number (CC#), Card Verification Value (CVV, the three–digit number on the back of the card) and expiration date are the most likely CHD to be found.

Application knowledge is usually the starting point to identifying these files: accounts receivable, order, settlement, conversion, order entry and similar files/databases are good places to start. Following the business flow from start to finish and identifying files accessed and/or updated should be reviewed for CHD usage.

Once file or database copy books or column names are identified, they need to be reviewed to identify where CHD data resides. Field names, including REDEFINES and sub–definition (e.g., expiration dates and the first six and last four digits of CC#), should be included in program scans. Data types (e.g., PIC 9(16) and PIC X(16)) should also be noted, because they can determine specific PCI compliance code changes in this regard.

Field names can be used in program scans via tools such as source–code managers. The copy–book name is useful as a search keyword, because it’s highly likely that a program with a COPY statement for the copy book accesses the associated file. Both scan types identify programs that access CHD and code where it’s processed.

Jim Schesvold is a technical editor for IBM Systems Magazine. Jim can be reached at jschesvold@mainframehelp.com.


comments powered by Disqus

Advertisement

Advertisement

2017 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.

Application Integration With PCI

The problematic nature of PCI-compliance application integration makes research, analysis and planning important. It can also greatly simplify and reduce the effort involved.

Upgrade Your Mainframe with Operational Business Intelligence

Companies race to transform their businesses by delivering operational insights to their employees

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
Mainframe News Sign Up Today! Past News Letters